1877613 – (CVE-2020-25017) CVE-2020-25017 envoyproxy/envoy: incorrectly handles multiple HTTP headers in requests

Bug 1877613 (CVE-2020-25017) - CVE-2020-25017 envoyproxy/envoy: incorrectly handles multiple HTTP headers in requests

Summary: CVE-2020-25017 envoyproxy/envoy: incorrectly handles multiple HTTP headers in...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-25017
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1877598
TreeView+	depends on / blocked

Reported:	2020-09-10 01:35 UTC by Mark Cooper
Modified:	2021-09-22 12:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:	envoy 1.15.1
Doc Type:	If docs needed, set a value
Doc Text:	An incorrect access control bypass vulnerability was found in envoy proxy/envoy. This flaw allows an attacker to send multiple HTTP headers where only the first one is valid. Envoy then forwards all of the headers as valid to the upstream component. This issue allows an attacker to subvert any envoy filters or rules, causing an inconsistency between envoy and the upstream component, potentially gaining access to restricted resources.
Clone Of:
Environment:
Last Closed:	2020-09-30 20:21:39 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4129	0	None	None	None	2020-09-30 13:13:51 UTC

Description Mark Cooper 2020-09-10 01:35:14 UTC

Envoy through v1.15.0 incorrectly handles multiple HTTP headers contained within a request. If Envoy validates multiple non-inline headers, only the first is validated and hence all others are assumed valid, allowing an access control bypass.

Comment 1 Mark Cooper 2020-09-10 01:35:16 UTC

Acknowledgments:

Name: the Envoy security team

Comment 3 Anten Skrabec 2020-09-29 21:15:05 UTC

External References:

https://istio.io/latest/news/security/istio-security-2020-010/

Comment 4 Mark Cooper 2020-09-30 06:31:19 UTC

upstream fix: https://github.com/envoyproxy/envoy/commit/2c60632d41555ec8b3d9ef5246242be637a2db0f

Comment 5 errata-xmlrpc 2020-09-30 13:13:49 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:4129 https://access.redhat.com/errata/RHSA-2020:4129

Comment 6 Product Security DevOps Team 2020-09-30 20:21:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25017

Note You need to log in before you can comment on or make changes to this bug.