Bug 1180122 (CVE-2020-35470)

Summary: VUL-1: CVE-2020-35470: envoy: logs incorrect downstream address making it possible to bypass the RBAC policy
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Manuel Buil <mbuil>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: dcassany, kkaempf, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/273387/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2020-12-16 16:02:02 UTC
rh#1907805

Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).

Upstream Issue:

https://github.com/envoyproxy/envoy/issues/14087

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1907805
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35470
https://github.com/envoyproxy/envoy/compare/v1.16.0...v1.16.1
https://github.com/envoyproxy/envoy/issues/14087
https://github.com/envoyproxy/envoy/pull/14131
Comment 1 Manuel Buil 2020-12-18 16:01:58 UTC
As far as I see, this is only affecting 1.16 version and not the previous versions. Several facts:

* The lines that the fix includes are already present in 1.15 and 1.14
* The backport made for version 1.15 is only adding tests to avoid this problem
* There is a comment in RH Bugzilla that confirms this: "So only affects v1.16.0."

We are shipping 1.14 and thus, I don't think we are impacted by this
Comment 2 Marcus Meissner 2020-12-23 15:27:13 UTC
ok,thanks!