Announcing fixes for 2 zero days

467 views
Skip to first unread message

Matt Klein

unread,
Nov 20, 2020, 9:46:29 PM11/20/20
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-users, envoy-dev, Envoy-maintainers, envoy-security
Hi all,

We are announcing the fixes for two zero days that were identified today:
  1. Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: https://github.com/envoyproxy/envoy/pull/14122. This issue was already under embargo and a new issue was opened in public GitHub.
  2. Proxy proto downstream address not restored correctly for non-HTTP connectionshttps://github.com/envoyproxy/envoy/pull/14131. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for non-HTTP network connections.
A few administrative items:
  1. Backports are complete for v1.16.1. The release has been tagged. Images should be available later.
  2. Backports for other supported stable versions where the bugs apply will go out next week. Issue (1) affects all versions with the UDP proxy filter. Issue (2) only effects v1.16.0.
  3. We will provide more complete writeups, CVE numbers, etc. later next week.
Thanks,
Envoy security team
Reply all
Reply to author
Forward
0 new messages