Bug 2217977 (CVE-2023-35941)

Summary: CVE-2023-35941 envoy: OAuth2 credentials exploit with permanent validity
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jwendell, rcernich, security-response-team, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.26.3, envoy 1.25.8, envoy 1.24.9, envoy 1.23.11 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Envoy, where a malicious client can construct credentials with permanent validity in a specific scenario. This issue is caused by some rare scenarios, such as the combination of host and expiration time, in which the HMAC payload can always be valid in the OAuth2 filter's HMAC check.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-11 21:32:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2217969    

Description Guilherme de Almeida Suckevicz 2023-06-27 18:24:24 UTC 
Malicious client is able to construct credentials with permanent validity in some specific scenario. This is caused by some rare scenarios, like the combination of host and expire time, in which HMAC payload can be always valid in OAuth2 filter's HMAC check.
Comment 4 errata-xmlrpc 2023-08-11 16:48:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:4624 https://access.redhat.com/errata/RHSA-2023:4624
Comment 5 errata-xmlrpc 2023-08-11 16:49:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2023:4625 https://access.redhat.com/errata/RHSA-2023:4625
Comment 6 Product Security DevOps Team 2023-08-11 21:32:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-35941
Comment 7 errata-xmlrpc 2023-09-14 17:35:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.2 for RHEL 8

Via RHSA-2023:5175 https://access.redhat.com/errata/RHSA-2023:5175