Описание
Envoy vulnerable to crash for scoped ip address during DNS
Summary
Calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter.
Details
The crashing function is Utility::getAddressWithPort. The crash occurs if a string containing a scoped IPv6 address is passed to this function.
This vulnerability affects:
- The original src filter: If the filter is configured and the original source is a scoped IPv6 address, it will cause a crash.
- DNS response address resolution: If a DNS response contains a scoped IPv6 address, this will also trigger the crash.
PoC
To reproduce the vulnerability:
- Method A (Original Src Filter): Configure the
original srcfilter in Envoy and provide a scoped IPv6 address as the original source. - Method B (DNS Resolution): Trigger a DNS resolution process within Envoy where the DNS response contains a scoped IPv6 address.
Impact
This is a Denial of Service (DoS) vulnerability. It impacts users who have the original src filter configured or whose Envoy instances resolve addresses from DNS responses that may contain scoped IPv6 addresses.
Пакеты
github.com/envoyproxy/envoy
= 1.37.0
Отсутствует
github.com/envoyproxy/envoy
>= 1.36.0, <= 1.36.4
Отсутствует
github.com/envoyproxy/envoy
>= 1.35.0, <= 1.35.8
Отсутствует
github.com/envoyproxy/envoy
<= 1.34.12
Отсутствует
Связанные уязвимости
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1 ...