Attachment #216163 for bug #247735

View | Details | Raw Unified | Return to bug 247735
Collapse All | Expand All




  <vuln vid="d95ac560-bd02-11ea-b78f-b42e99a1b9c3">
    <topic>envoy -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>istio</name>
	<range><ge>1.5.0</ge><lt>1.5.6</lt></range>
      </package>
      <package>
	<name>envoy</name>
	<range><lt>1.12.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>istio developers report:</p>
	<blockquote cite="https://istio.io/latest/news/security/istio-security-2020-007/">
	  <p>Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities</p>
      <ul>
    <li>CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.</li>
    <li>CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.</li>
    <li>CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.</li>
    <li>CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.</li>
      </ul>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-pc38-4q6c-85p6</url>
      <url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-8hf8-8gvw-ggvx</url>
      <url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777</url>
      <url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-v8q7-fq78-4997</url>
      <cvename>CVE-2020-8663</cvename>
      <cvename>CVE-2020-12605</cvename>
      <cvename>CVE-2020-12604</cvename>
      <cvename>CVE-2020-12603</cvename>
    </references>
    <dates>
      <discovery>2020-06-30</discovery>
      <entry>2020-07-03</entry>
    </dates>
  </vuln>


Return to bug 247735

Line 60 Link Here

(-)vuln.xml (+42 lines)
	61	<vuln vid="d95ac560-bd02-11ea-b78f-b42e99a1b9c3">
	62	<topic>envoy -- multiple vulnerabilities</topic>
	63	<affects>
	64	<package>
	65	<name>istio</name>
	66	<range><ge>1.5.0</ge><lt>1.5.6</lt></range>
	67	</package>
	68	<package>
	69	<name>envoy</name>
	70	<range><lt>1.12.5</lt></range>
	71	</package>
	72	</affects>
	73	<description>
	74	<body xmlns="http://www.w3.org/1999/xhtml">
	75	<p>istio developers report:</p>
	76	<blockquote cite="https://istio.io/latest/news/security/istio-security-2020-007/">
	77	<p>Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities</p>
	78	<ul>
	79	<li>CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.</li>
	80	<li>CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.</li>
	81	<li>CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.</li>
	82	<li>CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.</li>
	83	</ul>
	84	</blockquote>
	85	</body>
	86	</description>
	87	<references>
	88	<url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-pc38-4q6c-85p6</url>
	89	<url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-8hf8-8gvw-ggvx</url>
	90	<url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-fjxc-jj43-f777</url>
	91	<url>https://github.com/envoyproxy/envoy/security/advisories/GHSA-v8q7-fq78-4997</url>
	92	<cvename>CVE-2020-8663</cvename>
	93	<cvename>CVE-2020-12605</cvename>
	94	<cvename>CVE-2020-12604</cvename>
	95	<cvename>CVE-2020-12603</cvename>
	96	</references>
	97	<dates>
	98	<discovery>2020-06-30</discovery>
	99	<entry>2020-07-03</entry>
	100	</dates>
	101	</vuln>
	102