Bug 1856232 (CVE-2020-15104) - CVE-2020-15104 envoyproxy/envoy: incorrectly validates TLS certificates when using wildcards for DNS SAN's
Summary: CVE-2020-15104 envoyproxy/envoy: incorrectly validates TLS certificates when ...
Alias: CVE-2020-15104
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1856187
TreeView+ depends on / blocked
Reported: 2020-07-13 06:37 UTC by Mark Cooper
Modified: 2021-02-16 19:41 UTC (History)
2 users (show)

Fixed In Version: envoy 1.15.0, istio 1.5.8, istio 1.6.5
Doc Type: If docs needed, set a value
Doc Text:
An improper certificate validation vulnerability was found in envoyproxy/envoy, when externally created certificates with wildcards in the DNS Subject Alternative Name are used. This flaw allows an attacker to subvert the envoy filter or destination rules to access restricted resources. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Last Closed: 2020-07-22 13:27:50 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3090 0 None None None 2020-07-22 08:07:49 UTC

Description Mark Cooper 2020-07-13 06:37:35 UTC
Envoy before v1.15.0 and Istio before 1.6.5 (and 1.5.8) doesn't correctly validate TLS certificates when using wildcards. When wildcards are specified in the DNS Subject Alternative Name (SAN) and include multiple subdomains such as *.site.com, Envoy incorrectly allows and matches further sub domains such as bad.subdomain.site.com.

Comment 1 Mark Cooper 2020-07-13 06:37:38 UTC

Name: the Envoy Security Team

Comment 3 Mark Cooper 2020-07-13 06:49:19 UTC
Fix, git commit: https://github.com/envoyproxy/envoy/pull/11921/files

Comment 7 Mark Cooper 2020-07-14 07:23:29 UTC
External References:


Comment 8 errata-xmlrpc 2020-07-22 08:07:48 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:3090 https://access.redhat.com/errata/RHSA-2020:3090

Comment 9 Product Security DevOps Team 2020-07-22 13:27:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 10 RaTasha Tillery-Smith 2020-08-12 17:01:28 UTC

For OpenShift ServiceMesh to be affected by this vulnerability, it must be configured to validate externally issued certificates. By default, ServiceMesh does not issue certificates that use DNS wildcard SANs.

Note You need to log in before you can comment on or make changes to this bug.