Описание
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
A flaw was found in envoy. Affected versions of envoy may allow malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME field for access loggers.
Отчет
The vulnerability in Envoy that allows attackers to inject unexpected content into access logs is classified as moderate severity rather than important because the impact is primarily related to log integrity rather than direct exploitation of the system or data breaches, which lowers the overall risk profile. While log tampering can lead to misleading information, it does not directly compromise the application’s functionality or security boundaries. Additionally, the attack requires specific conditions to succeed, relying on the lack of validation for the REQUESTED_SERVER_NAME field, which may not be present in all configurations.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel8 | Not affected | ||
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/grafana-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/istio-cni-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/istio-must-gather-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/istio-rhel8-operator | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/kiali-ossmc-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/kiali-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/kiali-rhel8-operator | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/pilot-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/ratelimit-rhel8 | Fixed | RHSA-2024:7726 | 07.10.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Envoy is a cloud-native high-performance edge/middle/service proxy. A ...
EPSS
6.5 Medium
CVSS3