The vulnerability arises due to insufficient sanitization of HTTP headers within the OpenShift Service Mesh, specifically allowing log injection attacks via the x-forwarded-for header. This could result in misleading log entries, potential XSS attacks, and misattribution of request sources. However, the impact is limited since it primarily affects logging and does not directly lead to remote code execution or privilege escalation.
The advised remediation is the same described in my comment (with the date March 19th) in Bug 2339115 based on Envoy configuration and summarized in the following: 1)Filter possibly malicious headers Any HTTP header (x-forwarded-for included) can be stripped from a request by using the key "request_headers_to_remove". 2)Do not trust addresses in the x-forwarded-for header but use Downstream IP address. This is possible with the following configuration: xff_num_trusted_hops = 0 (no trusted addresses in XFF) use_remote_address=true (untrusted environments: do not use the x-forwarded-for HTTP header but use downstream real address instead)