A flaw was found in Envoy 1.9.0 and older. When parsing HTTP/1.x header values, Envoy does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources. Upstream issue: https://github.com/envoyproxy/envoy/issues/6434 References: https://istio.io/blog/2019/announcing-1.1.2/
Acknowledgments: Name: the Envoy security team
This issue has been addressed in the following products: OpenShift Service Mesh Tech Preview Via RHSA-2019:0741 https://access.redhat.com/errata/RHSA-2019:0741
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9900