ISTIO-SECURITY-2020-011
Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections.
| Disclosure Details | |
|---|---|
| CVE(s) | N/A |
| CVSS Impact Score | N/A |
| Affected Releases | 1.8.0 |
Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
- Incorrect proxy protocol downstream address for non-HTTP connections:
Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections. Instead of restoring the address supplied by the proxy protocol filter,
Envoy restores the address of the directly connected peer and passes it to subsequent filters. This will affect logging (
%DOWNSTREAM_REMOTE_ADDRESS%) and authorization policy (remoteIpBlocksandremote_ip) for non-HTTP network connections because they will use the incorrect proxy protocol downstream address.
This issue does not affect HTTP connections. The address from X-Forwarded-For is also not affected.
Istio does not support proxy protocol, and the only way to enable it is to use a custom EnvoyFilter resource.
It is not tested in Istio and should be used at your own risk.
Mitigation
- For Istio 1.8.0 deployments: do not use the proxy protocol for non-HTTP connections.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.