Bug 2088742

Summary: envoy: Test only method Envoy::Http::validHeaderString used in production in vendor specific HTTP filters
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jwendell, rcernich
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Envoy 1.22.1, Envoy 1.21.3, Envoy 1.20.4, Envoy 1.19.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2088743    

Description Avinash Hanwate 2022-05-20 11:39:57 UTC 
A method designed for sanity checking of HTTP header values during tests Envoy::Http::validHeaderString was determined to be used in production in vendor-specific HTTP extensions, including open-source extensions, for validating RFC compliance of header values. However, the method is not performing strict RFC compliance checks and allows characters prohibited by the standard. This may cause affected extensions to produce malformed upstream requests that may fail to be processed correctly by subsequent HTTP filters or fail to be logged by access loggers.

This problem does not affect any extensions in Envoy’s repository and as such, no CVE number will be assigned. The fix is provided under embargo to avoid 0-day exploits for affected HTTP filters outside of Envoy
repository.