View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 16, 2019

Red Hat Warns Over Critical “Envoy” Vulnerability: Users Include a Who’s Who of Big Tech

Vuln impacts Red Hat's OpenShift service mesh: patch now available...

By CBR Staff Writer

Red Hat is among the companies urging customers to patch urgently, after a critical vulnerability was identified in the open source software Envoy.

Envoy, created by Lyft, is a tool that underpins microservice service mesh architectures at companies as diverse as AWS, VMware, Airbnb, Stripe and Salesforce.

The Envoy vulnerability was fixed in release 1.12.2 of the software on December 10, after being spotted by Google’s Harvey Tuch; who both discovered and fixed the bug.

Envoy Vulnerability: OpenShift Service Mesh Affected

CVE-2019-18801 (given the CVSS score of a critical 9) can cause “query-of-death”-style issues. A proof-of-concept also exists for further exploitation; bypassing Envoy’s path-based access control to allow access to arbitrary content in the back-end.

The vulnerability centres around the ability of untrusted remote client to “send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1”, a bug report filed by Envoy on GitHub notes.

Openshift Service Mesh 1.0 is among the tools affected by the vulnerability. Red Hat has since updated that software to include Envoy patch. The bug is a crisp reminder of the extent to which a vulnerability in a upstream codebase can permeate down into a range of tools/platforms. Open source’s advocates would no doubt also point to the fact that community members were able to dip into the codebase and spot the flaw.

Envoy is an L7 proxy and communication bus. It creates a transparent communication mesh in which each application sends and receives messages to and from localhost and is unaware of the network topology. It works with any language and can form a mesh between Java, C++, Go, PHP, Python. Those looking forward to patching will be pleased to know that it was designed to be rapidly deployed and upgraded.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Those unable to patch immediately can mitigate by disabling HTTP/2 protocol for clients, disabling HTTP/1 upstream servers and reducing header size limits to 2KB.

Read this: New “Snatch” Ransomware Mutation Raises Alarm over Defensive Techniques – Bypasses Windows Defender 

Topics in this article : , , , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.