Gloo Security Update for Envoy Proxy CVE-2020-8659, CVE-2020-8661, CVE-2020-8664, CVE-2020-8660

Yesterday, Envoy Proxy announced version 1.13.1 and 1.12.3 to address four CVEs ranging from severity medium to high. Gloo Open Source versions 1.3.11 and 1.2.23 and Gloo Enterprise versions 1.3.0-beta4 and 1.2.10 have been released and include the latest version of Envoy Proxy with CVEs addressed. We recommend that all end users upgrade to the latest version of Gloo to protect their environment. View the changelog here.

More information about the CVEs included below and in the community notification.

• CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1. Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks.

• CVE-2020-8661 (CVSS score 7.5, High): Response flooding for HTTP/1.1. Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests.

• CVE-2020-8664 (CVSS score 5.3, Medium): Incorrect Access Control when using SDS with Combined Validation Context. Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.

• CVE-2020-8660 (CVSS score 5.3, Medium): TLS inspector bypass. TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process.

Questions?

• Ask in the #Gloo channel of the community slack
• Check out the Gloo repo on Github
• Get more information from the Envoy Proxy team