15 min listen
Envoy Proxy Fixes Two Zero Day vulnerabilities (UDP Proxy, TCP Proxy)
Envoy Proxy Fixes Two Zero Day vulnerabilities (UDP Proxy, TCP Proxy)
ratings:
Length:
8 minutes
Released:
Nov 22, 2020
Format:
Podcast episode
Description
The Envoy Proxy fixed two zero day vulnerabilities, from Envoy groups :
We are announcing the fixes for two zero days that were identified today:
Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: https://github.com/envoyproxy/envoy/pull/14122. This issue was already under embargo and a new issue was opened in public GitHub.
Proxy proto downstream address not restored correctly for non-HTTP connections: https://github.com/envoyproxy/envoy/pull/14131. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for non-HTTP network connections.
Resources
https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0
0:00
0:20 UDP Proxy Crash
2:15 Incorrect Downstream Remote Address
We are announcing the fixes for two zero days that were identified today:
Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: https://github.com/envoyproxy/envoy/pull/14122. This issue was already under embargo and a new issue was opened in public GitHub.
Proxy proto downstream address not restored correctly for non-HTTP connections: https://github.com/envoyproxy/envoy/pull/14131. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for non-HTTP network connections.
Resources
https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0
0:00
0:20 UDP Proxy Crash
2:15 Incorrect Downstream Remote Address
Released:
Nov 22, 2020
Format:
Podcast episode
Titles in the series (100)
Episode 10 - Scalable Software by The Backend Engineering Show with Hussein Nasser