ISTIO-SECURITY-2020-011

Security Bulletin

Disclosure Details
CVE(s)N/A
CVSS Impact ScoreN/A
Affected Releases1.8.0

Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:

  • Incorrect proxy protocol downstream address for non-HTTP connections: Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections. Instead of restoring the address supplied by the proxy protocol filter, Envoy restores the address of the directly connected peer and passes it to subsequent filters. This will affect logging (%DOWNSTREAM_REMOTE_ADDRESS%) and authorization policy (remoteIpBlocks and remote_ip) for non-HTTP network connections because they will use the incorrect proxy protocol downstream address.

This issue does not affect HTTP connections. The address from X-Forwarded-For is also not affected.

Istio does not support proxy protocol, and the only way to enable it is to use a custom EnvoyFilter resource. It is not tested in Istio and should be used at your own risk.

Mitigation

  • For Istio 1.8.0 deployments: do not use the proxy protocol for non-HTTP connections.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!