Bug 1856232 (CVE-2020-15104)

Summary: CVE-2020-15104 envoyproxy/envoy: incorrectly validates TLS certificates when using wildcards for DNS SAN's
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kconner, rcernich
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.15.0, istio 1.5.8, istio 1.6.5 Doc Type: If docs needed, set a value
Doc Text:
An improper certificate validation vulnerability was found in envoyproxy/envoy, when externally created certificates with wildcards in the DNS Subject Alternative Name are used. This flaw allows an attacker to subvert the envoy filter or destination rules to access restricted resources. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-22 13:27:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1856187    

Description Mark Cooper 2020-07-13 06:37:35 UTC 
Envoy before v1.15.0 and Istio before 1.6.5 (and 1.5.8) doesn't correctly validate TLS certificates when using wildcards. When wildcards are specified in the DNS Subject Alternative Name (SAN) and include multiple subdomains such as *.site.com, Envoy incorrectly allows and matches further sub domains such as bad.subdomain.site.com.
Comment 1 Mark Cooper 2020-07-13 06:37:38 UTC 
Acknowledgments:

Name: the Envoy Security Team
Comment 3 Mark Cooper 2020-07-13 06:49:19 UTC 
Fix, git commit: https://github.com/envoyproxy/envoy/pull/11921/files
Comment 7 Mark Cooper 2020-07-14 07:23:29 UTC 
External References:

https://istio.io/latest/news/security/istio-security-2020-008/
Comment 8 errata-xmlrpc 2020-07-22 08:07:48 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:3090 https://access.redhat.com/errata/RHSA-2020:3090
Comment 9 Product Security DevOps Team 2020-07-22 13:27:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15104
Comment 10 RaTasha Tillery-Smith 2020-08-12 17:01:28 UTC 
Statement:

For OpenShift ServiceMesh to be affected by this vulnerability, it must be configured to validate externally issued certificates. By default, ServiceMesh does not issue certificates that use DNS wildcard SANs.