Bug ID | 1165615 |
---|---|
Summary | VUL-0: envoy-proxy: multiple security issues |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | mrostecki@suse.com |
Reporter | abergmann@suse.com |
QA Contact | security-team@suse.de |
Found By | --- |
Blocker | --- |
This only affects openSUSE:Factory. https://blog.getambassador.io/high-severity-vulnerabilities-in-envoy-proxy-34f49bab78b1 The full list of vulnerabilities addressed in this release are: * CVE-2020���8659 (CVSS score 7.5, High): Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. * CVE-2020���8661 (CVSS score 7.5, High): Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests. * CVE-2020���8664 (CVSS score 5.3, Medium): Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the ���static��� part of the validation context to be not applied, even though it was visible in the active config dump. * CVE-2020���8660 (CVSS score 5.3, Medium): TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process. These security fixes are also included in Envoy 1.13.1 and 1.12.3, which are also being released today.