1907804 – (CVE-2020-35471) CVE-2020-35471 envoy: mishandling dropped and truncated datagrams leads to segfault and DoS

Bug 1907804 (CVE-2020-35471) - CVE-2020-35471 envoy: mishandling dropped and truncated datagrams leads to segfault and DoS

Summary: CVE-2020-35471 envoy: mishandling dropped and truncated datagrams leads to se...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-35471
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1907809
TreeView+	depends on / blocked

Reported:	2020-12-15 09:45 UTC by Marian Rehak
Modified:	2023-08-30 23:50 UTC (History)
CC List:	4 users (show)
Fixed In Version:	envoy 1.16.1
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference vulnerability was found in Envoy. During the handling of truncated or dropped UDP datagrams, this flaw allows an attacker to specify the length of the packet to be larger than 1500 bytes and cause the envoy proxy process to segfault, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2020-12-16 04:18:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-12-15 09:45:12 UTC

Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500.

Upstream Issue:

https://github.com/envoyproxy/envoy/issues/14113

Comment 1 Product Security DevOps Team 2020-12-16 04:18:20 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35471

Comment 3 Mark Cooper 2020-12-17 04:35:59 UTC

OpenShift ServiceMesh (Istio upstream) does not implement the UDP proxy in Envoy. 

Ref: https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/

However it does still ship the affected code so have marked low and wontfix as the code is unreachable.

Comment 5 Mark Cooper 2020-12-17 06:05:47 UTC

Upstream fix: https://github.com/envoyproxy/envoy/pull/14122/files

Comment 6 Mark Cooper 2020-12-17 07:08:50 UTC

Can also be confirmed when attempting to create a virtualservice for proxying traffic in istio, one will get the error:

Error from server: error when creating "test-gateway.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: http, tcp or tls must be provided in virtual service

Comment 8 RaTasha Tillery-Smith 2021-01-04 14:14:45 UTC

Statement:

While OpenShift ServiceMesh (OSSM) does package a vulnerable version of Envoy, it does not implement the UDP proxy in Envoy. Therefore, it has been assessed with a Low impact, Wontfix, and may be addressed in a future release.

Note You need to log in before you can comment on or make changes to this bug.