Published: Nov. 22, 2020, 11:03 p.m.
The Envoy Proxy fixed two zero day vulnerabilities, from Envoy groups :
We are announcing the fixes for two zero days that were identified today:
- Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: https://github.com/envoyproxy/envoy/pull/14122. This issue was already under embargo and a new issue was opened in public GitHub.
- Proxy proto downstream address not restored correctly for non-HTTP connections: https://github.com/envoyproxy/envoy/pull/14131. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for non-HTTP network connections.
Resources
https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0
0:00
0:20 UDP Proxy Crash
2:15 Incorrect Downstream Remote Address
---
Send in a voice message: https://anchor.fm/hnasr/message