Описание
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.
A flaw was found in Envoy. This vulnerability allows a de-synchronized CONNECT tunnel state via accepting client data before issuing a 2xx response and forwarding it to the upstream TCP (Transmission Control Protocol) connection when configured in TCP (Transmission Control Protocol) proxy mode to handle CONNECT requests.
Отчет
This vulnerability is rated Moderate for Red Hat. Envoy, when operating in TCP proxy mode for CONNECT requests, forwards client data before a 2xx response. This can lead to a de-synchronized CONNECT tunnel state if an upstream proxy rejects the tunnel establishment. This behavior is enabled by default in affected versions of OpenShift Service Mesh.
Меры по смягчению последствий
To mitigate this issue, set the envoy.reloadable_features.reject_early_connect_data runtime flag to reject CONNECT requests that send data before a 2xx response. This configuration change may require a service reload or restart to take effect.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/ratelimit-rhel8 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-cni-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.3 ...
Envoy forwards early CONNECT data in TCP proxy mode
5.3 Medium
CVSS3