1877605 – (CVE-2020-25018) CVE-2020-25018 envoyproxy/envoy: Null pointer deference in URL parsing

Bug 1877605 (CVE-2020-25018) - CVE-2020-25018 envoyproxy/envoy: Null pointer deference in URL parsing

Summary: CVE-2020-25018 envoyproxy/envoy: Null pointer deference in URL parsing

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-25018
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1877598
TreeView+	depends on / blocked

Reported:	2020-09-10 00:38 UTC by Mark Cooper
Modified:	2021-02-16 19:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:	envoy 1.15.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in envoy. An attacker can craft an HTTP request, which uses an Internationalized Domain Name (IDN) as the host component, resulting in an attempt to convert the host name (from Unicode to ASCII) potentially causing a segfault. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2020-09-30 09:57:36 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mark Cooper 2020-09-10 00:38:31 UTC

Envoy after commit 2d69e30 may fail to parse a request URL that requires the host component to be converted from Unicode into ASCII (host canonicalization). If the host component in the request URL uses an Internationalized Domain Name (IDN) this can cause Envoy to try and convert the Unicode characters to ASCII (Punycode), potentially causing a segfault as the conversion data is not available.

Comment 1 Mark Cooper 2020-09-10 00:39:47 UTC

Acknowledgments:

Name: the Envoy security team

Comment 2 Mark Cooper 2020-09-10 02:21:09 UTC

Issue originally introduced here: https://github.com/envoyproxy/envoy/commit/2d69e30c51f2418faf267aaa6c1126fce9948c62

OpenShift ServiceMesh 1.1 uses envoy v1.12.6 and OSSM 2.0 uses v1.14.4, neither of which included the affected code and hence is not affected.

Comment 4 Mark Cooper 2020-09-30 06:20:02 UTC

External References:

https://github.com/envoyproxy/envoy/security/advisories/GHSA-fwwh-fc9w-9673

Comment 6 Mark Cooper 2020-09-30 06:28:45 UTC

upstream fix: https://github.com/envoyproxy/envoy/commit/3b5acb2f43548862dadb243de7cf3994986a8e04

Comment 7 Product Security DevOps Team 2020-09-30 09:57:36 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25018

Note You need to log in before you can comment on or make changes to this bug.