Bug 1802542 (CVE-2020-8664) - CVE-2020-8664 envoy: Incorrect Access Control when using SDS with Combined Validation Context
Summary: CVE-2020-8664 envoy: Incorrect Access Control when using SDS with Combined Va...
Alias: CVE-2020-8664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1802569
TreeView+ depends on / blocked
Reported: 2020-02-13 11:37 UTC by Dhananjay Arunesh
Modified: 2021-02-16 20:34 UTC (History)
3 users (show)

Fixed In Version: envoy 1.13.1
Doc Type: If docs needed, set a value
Doc Text:
An access control bypass vulnerability was found in envoy. When the same TLS secret is used across multiple resources, the client's data, such as the subject alternative name or hash, is not validated. This flaw could lead to a possible bypass of security restrictions.
Clone Of:
Last Closed: 2020-03-05 22:31:47 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0734 0 None None None 2020-03-05 19:00:19 UTC

Description Dhananjay Arunesh 2020-02-13 11:37:34 UTC
A vulnerability was found in Envoy, where using SDS with Combined Validation Context Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.

Comment 2 Mark Cooper 2020-02-24 04:41:40 UTC

Name: The Envoy Security Team

Comment 3 errata-xmlrpc 2020-03-05 19:00:18 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:0734 https://access.redhat.com/errata/RHSA-2020:0734

Comment 4 Product Security DevOps Team 2020-03-05 22:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 5 Mark Cooper 2020-03-08 22:18:58 UTC
External References:


Note You need to log in before you can comment on or make changes to this bug.