Bug 1877605 (CVE-2020-25018)

Summary: CVE-2020-25018 envoyproxy/envoy: Null pointer deference in URL parsing
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kconner, rcernich, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.15.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in envoy. An attacker can craft an HTTP request, which uses an Internationalized Domain Name (IDN) as the host component, resulting in an attempt to convert the host name (from Unicode to ASCII) potentially causing a segfault. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-30 09:57:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1877598    

Description Mark Cooper 2020-09-10 00:38:31 UTC 
Envoy after commit 2d69e30 may fail to parse a request URL that requires the host component to be converted from Unicode into ASCII (host canonicalization). If the host component in the request URL uses an Internationalized Domain Name (IDN) this can cause Envoy to try and convert the Unicode characters to ASCII (Punycode), potentially causing a segfault as the conversion data is not available.
Comment 1 Mark Cooper 2020-09-10 00:39:47 UTC 
Acknowledgments:

Name: the Envoy security team
Comment 2 Mark Cooper 2020-09-10 02:21:09 UTC 
Issue originally introduced here: https://github.com/envoyproxy/envoy/commit/2d69e30c51f2418faf267aaa6c1126fce9948c62

OpenShift ServiceMesh 1.1 uses envoy v1.12.6 and OSSM 2.0 uses v1.14.4, neither of which included the affected code and hence is not affected.
Comment 4 Mark Cooper 2020-09-30 06:20:02 UTC 
External References:

https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673
Comment 6 Mark Cooper 2020-09-30 06:28:45 UTC 
upstream fix: https://github.com/envoyproxy/envoy/commit/3b5acb2f43548862dadb243de7cf3994986a8e04
Comment 7 Product Security DevOps Team 2020-09-30 09:57:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25018