CVE-2024-45806
Public on
Last Modified:
Description
A vulnerability was found in Envoy that allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were automatically considered internal, even if the internal_address_config was empty. The default configuration of Envoy will continue to trust internal addresses while in this release and it will not trust them by default in next release. If you have tooling such as probes on your private network which need to be treated as trusted such as changing arbitrary x-envoy headers, please explicitly include those addresses or CIDR ranges into internal_address_config. Successful exploitation could allow attackers to bypass security controls, access sensitive data, or disrupt services within the mesh, like Istio.
Statement
Red Hat's CVSS score and impact are specific to our product and may not match those of upstream. This is due to how envoy is configured and used within our OpenShift Service Mesh product.
Mitigation
This flaw can be mitigated by configuring envoy to treat all IPs as external. This is done by setting the internal_address_config range for envoy to `0.0.0.0/32`.
Additional information
- Bugzilla 2313683: envoy: Potential to manipulate `x-envoy` headers from external sources
- CWE-639: Authorization Bypass Through User-Controlled Key
- FAQ: Frequently asked questions about CVE-2024-45806
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 7.4 | 6.5 |
Attack Vector | Network | Network |
Attack Complexity | High | Low |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | High | Low |
Integrity Impact | High | Low |
Availability Impact | None | None |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat CVSS v3 Score Explanation
Red Hat's CVSS score and impact are specific to our product and may not match those of upstream. This is due to how envoy is configured and used within our OpenShift Service Mesh product.
Acknowledgements
This issue was discovered by James Force (Red Hat) and Mike Whale.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
