Vulnerabilities > CVE-2019-18838 - NULL Pointer Dereference vulnerability in Envoyproxy Envoy
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed HTTP request without a Host header, it sends an internally generated "Invalid request" response. This internally generated response is dispatched through the configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access a request's Host header causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0229_ENVOY.NASL description An update of the envoy package has been released. last seen 2020-04-30 modified 2020-04-22 plugin id 135867 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135867 title Photon OS 2.0: Envoy PHSA-2020-2.0-0229 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0290_ENVOY.NASL description An update of the envoy package has been released. last seen 2020-05-03 modified 2020-04-29 plugin id 136105 published 2020-04-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136105 title Photon OS 1.0: Envoy PHSA-2020-1.0-0290 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-4222.NASL description Red Hat OpenShift Service Mesh 1.0.3. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat OpenShift Service Mesh is Red Hat last seen 2020-06-01 modified 2020-06-02 plugin id 132031 published 2019-12-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132031 title RHEL 8 : Red Hat OpenShift Service Mesh 1.0.3 RPMs (RHSA-2019:4222)
Redhat
rpms |
|
References
- https://blog.envoyproxy.io
- https://blog.envoyproxy.io
- https://github.com/envoyproxy/envoy/commits/master
- https://github.com/envoyproxy/envoy/commits/master
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc
- https://groups.google.com/forum/#%21forum/envoy-users
- https://groups.google.com/forum/#%21forum/envoy-users