The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.

We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:

  • CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
  • CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.

Am I at Risk?

Not all Envoy users will be directly impacted by these vulnerabilities. Envoy configurations are most vulnerable if headers are used for access control and routing or if path-based access control or routing is used for deployments.

If you’re running GetEnvoy, upgrade GetEnvoy to the last version and run:

getenvoy verify

to see if your installed Envoy contains the security fixes. If yours doesn’t, please run:

getenvoy fetch

to get the latest build from us.

More recent versions will still be vulnerable to CVE-2019-9901 if they do not enable path normalization via either the HTTP Connection Manager configuration HttpConnectionManager.normalize_path field or the http_connection_manager.normalize_path runtime option.

  • CVE-2019-9900: Those most likely to be affected will have HTTP/1.1 traffic from untrusted endpoints and will make use of header based matching for access control or routing (including ext_authz, rate limiting service, and similar inbuilt filters).
  • CVE-2019-9901: Any deployment that uses path-based access control or routing is likely affected, in particular where routing decisions are intended to block or allow access (e.g. disabling an /admin handler). This will also depend on upstream path normalization semantics. If you use Envoy’s RBAC or ext_authz filter, together with prefix path matching or suffix header matching, it is likely that you are directly affected. If you have custom filters that rely on the request path or headers, you will need to perform additional risk assessment.

How do I mitigate?

See mitigation details in Envoy’s documentation on CVE-2019-9900 and CVE-2019-9901.

How do I upgrade?

To get our latest release, run

getenvoy fetch

In addition to upgrading, it is necessary to enable path normalization via either the HTTP Connection Manager configuration HttpConnectionManager.normalize_path field or the http_connection_manager.normalize_path runtime option to mitigate CVE-2019-9901.

Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.