Envoy 1.16.0 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters). Upstream Issue: https://github.com/envoyproxy/envoy/issues/14087
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35470
Confirmed regression from https://github.com/envoyproxy/envoy/commit/fa2a7dbe5f1a0847e0bcbdcb001bac5f80bc92d9 So only affects v1.16.0. OSSM 2.0 is still on 1.14.5. Also given how maistra/envoy works we absorbed the changes but never the regression. OSSM 1.0 is 1.12.6, not vuln and oos.
External References: https://github.com/envoyproxy/envoy/issues/14087
Upstream fix: https://github.com/envoyproxy/envoy/pull/14132/commits/acc4a83bcfcc44c61e48b802cbb0972df3fdd4b5