Bug 1907804 (CVE-2020-35471)

Summary: CVE-2020-35471 envoy: mishandling dropped and truncated datagrams leads to segfault and DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jwendell, kconner, rcernich, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.16.1 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference vulnerability was found in Envoy. During the handling of truncated or dropped UDP datagrams, this flaw allows an attacker to specify the length of the packet to be larger than 1500 bytes and cause the envoy proxy process to segfault, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-16 04:18:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1907809    

Description Marian Rehak 2020-12-15 09:45:12 UTC 
Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500.

Upstream Issue:

https://github.com/envoyproxy/envoy/issues/14113
Comment 1 Product Security DevOps Team 2020-12-16 04:18:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35471
Comment 3 Mark Cooper 2020-12-17 04:35:59 UTC 
OpenShift ServiceMesh (Istio upstream) does not implement the UDP proxy in Envoy. 

Ref: https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/

However it does still ship the affected code so have marked low and wontfix as the code is unreachable.
Comment 5 Mark Cooper 2020-12-17 06:05:47 UTC 
Upstream fix: https://github.com/envoyproxy/envoy/pull/14122/files
Comment 6 Mark Cooper 2020-12-17 07:08:50 UTC 
Can also be confirmed when attempting to create a virtualservice for proxying traffic in istio, one will get the error:

Error from server: error when creating "test-gateway.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: http, tcp or tls must be provided in virtual service
Comment 8 RaTasha Tillery-Smith 2021-01-04 14:14:45 UTC 
Statement:

While OpenShift ServiceMesh (OSSM) does package a vulnerable version of Envoy, it does not implement the UDP proxy in Envoy. Therefore, it has been assessed with a Low impact, Wontfix, and may be addressed in a future release.