Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500. Upstream Issue: https://github.com/envoyproxy/envoy/issues/14113
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35471
OpenShift ServiceMesh (Istio upstream) does not implement the UDP proxy in Envoy. Ref: https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/ However it does still ship the affected code so have marked low and wontfix as the code is unreachable.
Upstream fix: https://github.com/envoyproxy/envoy/pull/14122/files
Can also be confirmed when attempting to create a virtualservice for proxying traffic in istio, one will get the error: Error from server: error when creating "test-gateway.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: http, tcp or tls must be provided in virtual service
Statement: While OpenShift ServiceMesh (OSSM) does package a vulnerable version of Envoy, it does not implement the UDP proxy in Envoy. Therefore, it has been assessed with a Low impact, Wontfix, and may be addressed in a future release.