ISTIO-SECURITY-2020-011

Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections.

Nov 21, 2020

Disclosure Details
CVE(s)N/A
CVSS Impact ScoreN/A
Affected Releases1.8.0

Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:

This issue does not affect HTTP connections. The address from X-Forwarded-For is also not affected.

Istio does not support proxy protocol, and the only way to enable it is to use a custom EnvoyFilter resource. It is not tested in Istio and should be used at your own risk.

Mitigation

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.