Hi everyone,
Envoy just pushed out a few security releases today. Since the vulnerabilities were publicly disclosed they couldn’t wait for their usual responsible disclosure process, so we’re racing to keep up. Tomorrow July 9th we will publish Istio 1.5.8 and 1.6.5 with the same fixes.
This vulnerability may affect Istio projects that use subjectAltNames in ServiceEntry and DestinationRule as well as projects that directly configure Envoy’s verify_subject_alt_name and match_subject_alt_names via EnvoyFilter.
You can read their announcement at https://groups.google.com/g/envoy-announce/c/yxFpI54NeWg. Repeating their announcement here for convenience:
Hello Envoy Community,
The Envoy security team would like to announce the availability of v1.15.0, v1.14.4, v1.13.4, and v1.12.6.
This release addresses a defect in how Envoy validates TLS certificates (CVE-2020-15104). This issue has a CVSS score of 6.6 (Medium) (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C).
Impact
When validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com.
This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections.
This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com.
Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later.
Fix
This issue has been fixed in Envoy versions 1.15.0, 1.14.4, 1.13.4, 1.12.6.
The commit fixing it is 7a1f2bca8c6eed217f1e914695ea29985b3f860f, which is included in 1.15.0. The issue was disclosed publicly immediately before the 1.15.0 release, which is why a security fix is included with a regularly scheduled release.