Bugzilla – Bug 1180122
VUL-1: CVE-2020-35470: envoy: logs incorrect downstream address making it possible to bypass the RBAC policy
Last modified: 2020-12-23 15:27:13 UTC
Envoy before 1.16.1 logs an incorrect downstream address because it considers only the directly connected peer, not the information in the proxy protocol header. This affects situations with tcp-proxy as the network filter (not HTTP filters).
As far as I see, this is only affecting 1.16 version and not the previous versions. Several facts:
* The lines that the fix includes are already present in 1.15 and 1.14
* The backport made for version 1.15 is only adding tests to avoid this problem
* There is a comment in RH Bugzilla that confirms this: "So only affects v1.16.0."
We are shipping 1.14 and thus, I don't think we are impacted by this