-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable remote proxy patching except AWS Lambda #17415
Disable remote proxy patching except AWS Lambda #17415
Conversation
500c0fc
to
5564260
Compare
5564260
to
b5d084a
Compare
```release-note:security | ||
extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [[CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816)] | ||
``` | ||
|
||
```release-note:breaking-change | ||
extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See [CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816) changelog entry for more details. | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've also seen xds:
used often, but extensions:
felt ideal if we're generally using that one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @picatz and @hashicorp/consul-docs in case you have input on changelog (I'm happy to address after merge as well)
To avoid unintended tampering with remote downstreams via service config, refactor BasicEnvoyExtender and RuntimeConfig to disallow typical Envoy extensions from being applied to non-local proxies. Continue to allow this behavior for AWS Lambda and the read-only Validate builtin extensions. Addresses CVE-2023-2816.
b5d084a
to
ba18381
Compare
To avoid unintended tampering with remote downstreams via service config, refactor BasicEnvoyExtender and RuntimeConfig to disallow typical Envoy extensions from being applied to non-local proxies. Continue to allow this behavior for AWS Lambda and the read-only Validate builtin extensions. Addresses CVE-2023-2816.
To avoid unintended tampering with remote downstreams via service config, refactor
BasicEnvoyExtender
andRuntimeConfig
to disallow typical Envoy extensions from being applied to non-local proxies.Continue to allow this behavior for AWS Lambda and the read-only Validate builtin extensions.
Addresses CVE-2023-2816.
Description
This change addresses CVE-2023-2816 and prevents future bugs by refactoring Envoy extender code and
RuntimeConfig
to:Testing & Reproduction steps
PR Checklist