1856232 – (CVE-2020-15104) CVE-2020-15104 envoyproxy/envoy: incorrectly validates TLS certificates when using wildcards for DNS SAN's

Bug 1856232 (CVE-2020-15104) - CVE-2020-15104 envoyproxy/envoy: incorrectly validates TLS certificates when using wildcards for DNS SAN's

Summary: CVE-2020-15104 envoyproxy/envoy: incorrectly validates TLS certificates when ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-15104
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1856187
TreeView+	depends on / blocked

Reported:	2020-07-13 06:37 UTC by Mark Cooper
Modified:	2021-02-16 19:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:	envoy 1.15.0, istio 1.5.8, istio 1.6.5
Doc Type:	If docs needed, set a value
Doc Text:	An improper certificate validation vulnerability was found in envoyproxy/envoy, when externally created certificates with wildcards in the DNS Subject Alternative Name are used. This flaw allows an attacker to subvert the envoy filter or destination rules to access restricted resources. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:	2020-07-22 13:27:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3090	0	None	None	None	2020-07-22 08:07:49 UTC

Description Mark Cooper 2020-07-13 06:37:35 UTC

Envoy before v1.15.0 and Istio before 1.6.5 (and 1.5.8) doesn't correctly validate TLS certificates when using wildcards. When wildcards are specified in the DNS Subject Alternative Name (SAN) and include multiple subdomains such as *.site.com, Envoy incorrectly allows and matches further sub domains such as bad.subdomain.site.com.

Comment 1 Mark Cooper 2020-07-13 06:37:38 UTC

Acknowledgments:

Name: the Envoy Security Team

Comment 3 Mark Cooper 2020-07-13 06:49:19 UTC

Fix, git commit: https://github.com/envoyproxy/envoy/pull/11921/files

Comment 7 Mark Cooper 2020-07-14 07:23:29 UTC

External References:

https://istio.io/latest/news/security/istio-security-2020-008/

Comment 8 errata-xmlrpc 2020-07-22 08:07:48 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:3090 https://access.redhat.com/errata/RHSA-2020:3090

Comment 9 Product Security DevOps Team 2020-07-22 13:27:50 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15104

Comment 10 RaTasha Tillery-Smith 2020-08-12 17:01:28 UTC

Statement:

For OpenShift ServiceMesh to be affected by this vulnerability, it must be configured to validate externally issued certificates. By default, ServiceMesh does not issue certificates that use DNS wildcard SANs.

Note You need to log in before you can comment on or make changes to this bug.