A null pointer dereference vulnerability was found in all versions of Envoy up to 1.17.2. If an attacker can establish a TLS session which sends an invalid TLS alert code, then this will cause an NULL pointer exception to occur crashing the application resulting in a denial of service.
Acknowledgments: Name: the Envoy security team
External References: https://istio.io/latest/news/security/istio-security-2021-003/
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2021:1324 https://access.redhat.com/errata/RHSA-2021:1324
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2021:1322 https://access.redhat.com/errata/RHSA-2021:1322
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28683