A vulnerability was found in Envoy, where using SDS with Combined Validation Context Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
Name: The Envoy Security Team
This issue has been addressed in the following products:
OpenShift Service Mesh 1.0
Via RHSA-2020:0734 https://access.redhat.com/errata/RHSA-2020:0734
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):