ISTIO-SECURITY-2020-011
Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections.
Disclosure Details | |
---|---|
CVE(s) | N/A |
CVSS Impact Score | N/A |
Affected Releases | 1.8.0 |
Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
- Incorrect proxy protocol downstream address for non-HTTP connections:
Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections. Instead of restoring the address supplied by the proxy protocol filter,
Envoy restores the address of the directly connected peer and passes it to subsequent filters. This will affect logging (
%DOWNSTREAM_REMOTE_ADDRESS%
) and authorization policy (remoteIpBlocks
andremote_ip
) for non-HTTP network connections because they will use the incorrect proxy protocol downstream address.
This issue does not affect HTTP connections. The address from X-Forwarded-For
is also not affected.
Istio does not support proxy protocol, and the only way to enable it is to use a custom EnvoyFilter
resource.
It is not tested in Istio and should be used at your own risk.
Mitigation
- For Istio 1.8.0 deployments: do not use the proxy protocol for non-HTTP connections.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.