Bug 2339147 (CVE-2025-0754)

Summary: CVE-2025-0754 envoyproxy: OpenShift Service Mesh 2.6.3 and 2.5.6 Envoy Header Handling Allows Log Injection and Potential Spoofing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcillera, jwendell, rcernich, sburke, security-response-team, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---Flags: sburke: needinfo? (dcillera)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The vulnerability was found in OpenShift Service Mesh 2.6.3 and 2.5.6. This issue occurs due to improper sanitization of HTTP headers by Envoy, particularly the x-forwarded-for header. This lack of sanitization can allow attackers to inject malicious payloads into service mesh logs, leading to log injection and spoofing attacks. Such injections can mislead logging mechanisms, enabling attackers to manipulate log entries or execute reflected cross-site scripting (XSS) attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-01-21 14:28:39 UTC 
The vulnerability arises due to insufficient sanitization of HTTP headers within the OpenShift Service Mesh, specifically allowing log injection attacks via the x-forwarded-for header. This could result in misleading log entries, potential XSS attacks, and misattribution of request sources. However, the impact is limited since it primarily affects logging and does not directly lead to remote code execution or privilege escalation.
Comment 4 dcillera 2025-03-19 17:11:54 UTC 
The advised remediation is the same described in my comment (with the date March 19th) in Bug 2339115  based on Envoy configuration and summarized in the following:

1)Filter possibly malicious headers
Any HTTP header (x-forwarded-for included) can be stripped from a request by using the key "request_headers_to_remove".

2)Do not trust addresses in the x-forwarded-for header but use Downstream IP address.
This is possible with the following configuration:
 
xff_num_trusted_hops = 0 (no trusted addresses in XFF)
use_remote_address=true (untrusted environments: do not use the x-forwarded-for HTTP header but use downstream real address instead)