Brief description
Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.
CVSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
(CVSS score 7.5, High)
Affected version(s)
Envoy 1.12.1 and before.
Affected component(s)
Route manager
Attack vector(s)
An untrusted remote client may send malformed HTTP request, without the "Host" header, that may cause an abnormal process termination, when Envoy is configured with encoder filters that access route manager.
Discover(s)/Credits
Oleg Guba, Dropbox
Details
Upon receipt of a malformed HTTP request without the "Host" header, the Envoy proxy sends the internally generated "Invalid request" response. This internally generated response is dispatched through configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access request's "Host" header, will cause NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.
Mitigations
- Disable LUA filter.
- Disable vendor specific encoder filters that access request headers.
Detection
Abnormal termination of the Envoy proxy process with the Envoy::Router::RouteMatcher::findVirtualHost() function at the top of the stack trace.
References
CVE-2019-18838
Brief description
Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.
CVSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
(CVSS score 7.5, High)
Affected version(s)
Envoy 1.12.1 and before.
Affected component(s)
Route manager
Attack vector(s)
An untrusted remote client may send malformed HTTP request, without the "Host" header, that may cause an abnormal process termination, when Envoy is configured with encoder filters that access route manager.
Discover(s)/Credits
Oleg Guba, Dropbox
Details
Upon receipt of a malformed HTTP request without the "Host" header, the Envoy proxy sends the internally generated "Invalid request" response. This internally generated response is dispatched through configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access request's "Host" header, will cause NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.
Mitigations
Detection
Abnormal termination of the Envoy proxy process with the
Envoy::Router::RouteMatcher::findVirtualHost()function at the top of the stack trace.References