Bug 1802542 (CVE-2020-8664)
| Summary: | CVE-2020-8664 envoy: Incorrect Access Control when using SDS with Combined Validation Context | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | kconner, rcernich, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | envoy 1.13.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An access control bypass vulnerability was found in envoy. When the same TLS secret is used across multiple resources, the client's data, such as the subject alternative name or hash, is not validated. This flaw could lead to a possible bypass of security restrictions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-05 22:31:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1802569 | ||
|
Description
Dhananjay Arunesh
2020-02-13 11:37:34 UTC
Acknowledgments: Name: The Envoy Security Team This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:0734 https://access.redhat.com/errata/RHSA-2020:0734 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8664 External References: https://github.com/envoyproxy/envoy/security/advisories/GHSA-3x9m-pgmg-xpx8 |