One Article Review
| Source |  Vuln GCP |
|---|---|
| Identifiant | 8296094 |
| Date de publication | 2022-12-21 17:12:56 (vue: 2022-12-30 21:12:37) |
| Titre | GCP-2022-008 |
| Texte | Published: 2022-02-23 Updated: 2022-04-28Description
Description
Severity
Notes
2022-04-28 Update: Added versions of Anthos clusters on VMware that fix these vulnerabilities. For details, see the Anthos clusters on VMware security bulletin. The Envoy project recently discovered a set of vulnerabilities. All issues listed below are fixed in Envoy release 1.21.1. CVE-2022-23606: When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was erroneously introduced in Envoy version 1.19 to the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. CVE-2022-21655: Envoy's internal redirect code assumes that a route entry exists. When an internal redirect is done to a route which has a direct response entry and no route entry, it results in dereferencing a null pointer and crashing. CVE-2021-43826: When Envoy is configured to use tcp_proxy which uses upstream tunneling (over HTTP), and downstream TLS termination, Envoy will crash if the downstream client disconnects during the TLS handshake while the upstream HTTP stream is still being established. The downstream disconnect can be either client or server initiated. The client can disconnect for any reason. The server may disconnect if, for example, it has no TLS ciphers or TLS protocol versions compatible with the client. It may be possible to trigger this crash in other downstream configurations as well. CVE-2021-43825: Sending a locally generated response must stop further processing of request or response data. Envoy tracks the amount of buffered request and response data and aborts the request if the amount of buffered data is over the limit by sending 413 or 500 responses. However when locally generated response is sent because of the internal buffer overflows while response is processed by the filter chain the operation may not be aborted correctly and result in accessing a freed memory block. CVE-2021-43824: Envoy crashes when using the JWT filter with a "safe_regex" match rule and a specially crafted request like "CONNECT host:port HTTP/1.1". When reaching the JWT filter, a "safe_regex" rule should evaluate the URL path but there is none here, and Envoy crashes with segfaults. CVE-2022-21654: Envoy would incorrectly allow TLS session resumption after mTLS validation settings had been reconfigured. If a client certificate was allowed with the old configuration but disallowed with the new configuration, the client could resume the previous TLS session even though the current configuration should disallow it. Changes to the following settings are affected: match_subject_alt_names CRL changes allow_expired_certificate Trust_chain_verification only_verify_leaf_cert_crl CVE-2022-21657: Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS ser |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 008 2021 2022 21654 21654: 21655 21655: 21656 21656: 21657 21657: 23606 23606: 28description 413 43824 43824: 43825 43825: 43826 43826: 500 abnormal aborted aborts accepted accepts accessing action added affected: after all allow allowed allows alt amount and anthos any arbitrary are assumes audit authenticated bad bare because been being below binaries block buffer buffered bug build bulletin bulletins: but bypassing can cds cert certificate certificates chain changes ciphers client clientauth cloud cluster clusters code combined compatible configuration configurations configured confusion connect connections contain correctly could crafted crash crashes crashing crl current cve data default deleted deploy dereferencing description detailed details direct disallow disallowed disconnect disconnected disconnecting disconnects discovered discovery does domain done downstream during either emailprotection endpoints ensure entry envoy envoys erroneously established evaluate even example exempted exhaustion exists expired exposing extendedkeyusage filter fix fixed following for freed from further gcp generated github gke google had handshake has here high host:port however http http/1 idle impersonation implement implementation incorrectly initiated instructions intended internal introduced issue issues istio jwt large lead leaf like limit listed locally mail managed managing match may means memory mesh metal mtls must name nameconstraints names necessary new none not notes null number old only openssl/boringssl operation other over overflows own particularly path peer pki pointer possibility possible present previous procedure process processed processing products project protocol provides proxy published: reaching reason recently reconfigured recursion redirect regarding regex release request respectively response responses restrict result results resume resumption rfc822name route routines rule run s/mime safe security see segfaults sending sent server serverauth servers service session set settings severity should source specially specific stack still stop stream subject subjectaltnames supervision switch taken tcp termination that the their them there these they this those though thus tls tracks trigger trust tunneling type underlying uniformresourceindicator update: updated: upstream url use used users uses using validation validator verification verify version versions via vmware vulnerabilities was web well what when which while who will with would |
| Tags | Guideline |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.