Bug 1877613 (CVE-2020-25017)

Summary: CVE-2020-25017 envoyproxy/envoy: incorrectly handles multiple HTTP headers in requests
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kconner, rcernich, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.15.1 Doc Type: If docs needed, set a value
Doc Text:
An incorrect access control bypass vulnerability was found in envoy proxy/envoy. This flaw allows an attacker to send multiple HTTP headers where only the first one is valid. Envoy then forwards all of the headers as valid to the upstream component. This issue allows an attacker to subvert any envoy filters or rules, causing an inconsistency between envoy and the upstream component, potentially gaining access to restricted resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-30 20:21:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1877598    

Description Mark Cooper 2020-09-10 01:35:14 UTC 
Envoy through v1.15.0 incorrectly handles multiple HTTP headers contained within a request. If Envoy validates multiple non-inline headers, only the first is validated and hence all others are assumed valid, allowing an access control bypass.
Comment 1 Mark Cooper 2020-09-10 01:35:16 UTC 
Acknowledgments:

Name: the Envoy security team
Comment 3 Anten Skrabec 2020-09-29 21:15:05 UTC 
External References:

https://istio.io/latest/news/security/istio-security-2020-010/
Comment 4 Mark Cooper 2020-09-30 06:31:19 UTC 
upstream fix: https://github.com/envoyproxy/envoy/commit/2c60632d41555ec8b3d9ef5246242be637a2db0f
Comment 5 errata-xmlrpc 2020-09-30 13:13:49 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:4129 https://access.redhat.com/errata/RHSA-2020:4129
Comment 6 Product Security DevOps Team 2020-09-30 20:21:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25017