Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were automatically considered internal, even if the internal_address_config was empty. The default configuration of Envoy will continue to trust internal addresses while in this release and it will not trust them by default in next release. If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) please explicitly include those addresses or CIDR ranges into `internal_address_config`. Successful exploitation could allow attackers to bypass security controls, access sensitive data, or disrupt services within the mesh, like Istio. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Tue, 08 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat service Mesh
CPEs cpe:/a:redhat:service_mesh:2.5::el8
cpe:/a:redhat:service_mesh:2.6::el8
cpe:/a:redhat:service_mesh:2.6::el9
Vendors & Products Redhat
Redhat service Mesh

Fri, 20 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Vendors & Products Envoyproxy
Envoyproxy envoy
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Sep 2024 09:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 19 Sep 2024 23:45:00 +0000

Type Values Removed Values Added
Description Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were automatically considered internal, even if the internal_address_config was empty. The default configuration of Envoy will continue to trust internal addresses while in this release and it will not trust them by default in next release. If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) please explicitly include those addresses or CIDR ranges into `internal_address_config`. Successful exploitation could allow attackers to bypass security controls, access sensitive data, or disrupt services within the mesh, like Istio. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Potential manipulate `x-envoy` headers from external sources in envoy
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-19T23:34:30.762Z

Updated: 2024-09-20T17:28:05.598Z

Reserved: 2024-09-09T14:23:07.504Z

Link: CVE-2024-45806

cve-icon Vulnrichment

Updated: 2024-09-20T17:27:57.679Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-20T00:15:02.293

Modified: 2024-10-15T16:03:44.943

Link: CVE-2024-45806

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-20T00:15:02Z

Links: CVE-2024-45806 - Bugzilla