Bug 1180122 - (CVE-2020-35470) VUL-1: CVE-2020-35470: envoy: logs incorrect downstream address making it possible to bypass the RBAC policy
(CVE-2020-35470)
VUL-1: CVE-2020-35470: envoy: logs incorrect downstream address making it pos...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Manuel Buil
Security Team bot
https://smash.suse.de/issue/273387/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-16 16:02 UTC by Marcus Meissner
Modified: 2020-12-23 15:27 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-12-16 16:02:02 UTC
rh#1907805

Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).

Upstream Issue:

https://github.com/envoyproxy/envoy/issues/14087

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1907805
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35470
https://github.com/envoyproxy/envoy/compare/v1.16.0...v1.16.1
https://github.com/envoyproxy/envoy/issues/14087
https://github.com/envoyproxy/envoy/pull/14131
Comment 1 Manuel Buil 2020-12-18 16:01:58 UTC
As far as I see, this is only affecting 1.16 version and not the previous versions. Several facts:

* The lines that the fix includes are already present in 1.15 and 1.14
* The backport made for version 1.15 is only adding tests to avoid this problem
* There is a comment in RH Bugzilla that confirms this: "So only affects v1.16.0."

We are shipping 1.14 and thus, I don't think we are impacted by this
Comment 2 Marcus Meissner 2020-12-23 15:27:13 UTC
ok,thanks!