Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable remote proxy patching except AWS Lambda #17415

Merged
merged 1 commit into from
May 23, 2023
Merged

Disable remote proxy patching except AWS Lambda #17415

merged 1 commit into from
May 23, 2023

Conversation

zalimeni
Copy link
Member

@zalimeni zalimeni commented May 19, 2023
edited
Loading

To avoid unintended tampering with remote downstreams via service config, refactor BasicEnvoyExtender and RuntimeConfig to disallow typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only Validate builtin extensions.

Addresses CVE-2023-2816.

Description

This change addresses CVE-2023-2816 and prevents future bugs by refactoring Envoy extender code and RuntimeConfig to:

  • Prevent all but specific allowed extensions (AWS Lambda and Validate pseudo-extension) from interacting w/ downstream proxies via upstream config.
  • Clearly disambiguate between the source of Envoy extension config (local or upstream) and Envoy resource traffic direction.

Testing & Reproduction steps

  • Manual verification of fix by attempted reproduction post-fix
  • Tests added and updated in this PR to guard intended behavior

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern (addresses existing security concern)

@github-actions github-actions bot added theme/api Relating to the HTTP API interface theme/envoy/xds Related to Envoy support labels May 19, 2023
@zalimeni zalimeni force-pushed the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch from 500c0fc to 5564260 Compare May 19, 2023 19:30
@zalimeni zalimeni added theme/security backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. and removed theme/api Relating to the HTTP API interface labels May 19, 2023
@zalimeni zalimeni force-pushed the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch from 5564260 to b5d084a Compare May 22, 2023 14:57
@zalimeni zalimeni marked this pull request as ready for review May 22, 2023 14:57
zalimeni
zalimeni commented May 22, 2023
View reviewed changes
.changelog/17415.txt
Comment on lines +1 to +7
```release-note:security
extensions: Disable remote downstream proxy patching by Envoy Extensions other than AWS Lambda. Previously, an operator with service:write ACL permissions for an upstream service could modify Envoy proxy config for downstream services without equivalent permissions for those services. This issue only impacts the Lua extension. [[CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816)]
```

```release-note:breaking-change
extensions: The Lua extension now targets local proxy listeners for the configured service's upstreams, rather than remote downstream listeners for the configured service, when ListenerType is set to outbound in extension configuration. See [CVE-2023-2816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816) changelog entry for more details.
```
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've also seen xds: used often, but extensions: felt ideal if we're generally using that one.

Copy link
Member Author

@zalimeni zalimeni May 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @picatz and @hashicorp/consul-docs in case you have input on changelog (I'm happy to address after merge as well)

@zalimeni zalimeni removed the pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. label May 22, 2023
@zalimeni
Disable remote proxy patching except AWS Lambda
ba18381 
To avoid unintended tampering with remote downstreams via service
config, refactor BasicEnvoyExtender and RuntimeConfig to disallow
typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only
Validate builtin extensions.

Addresses CVE-2023-2816.
@zalimeni zalimeni force-pushed the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch from b5d084a to ba18381 Compare May 23, 2023 11:39
@zalimeni zalimeni enabled auto-merge (squash) May 23, 2023 11:49
@zalimeni zalimeni merged commit b8d2640 into main May 23, 2023
103 checks passed
@zalimeni zalimeni deleted the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch May 23, 2023 11:55
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request May 23, 2023
Closed
4 tasks
@zalimeni zalimeni mentioned this pull request May 23, 2023
Merged
nickethier pushed a commit that referenced this pull request May 26, 2023
@zalimeni @nickethier
Disable remote proxy patching except AWS Lambda (#17415)
3f98c23 
To avoid unintended tampering with remote downstreams via service
config, refactor BasicEnvoyExtender and RuntimeConfig to disallow
typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only
Validate builtin extensions.

Addresses CVE-2023-2816.
@zalimeni zalimeni mentioned this pull request May 31, 2023
Merged
4 tasks
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Jun 1, 2023
Closed
4 tasks
@p-linnane p-linnane mentioned this pull request Jun 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hashi-derek hashi-derek hashi-derek approved these changes

@erichaberkorn erichaberkorn Awaiting requested review from erichaberkorn

@cthain cthain Awaiting requested review from cthain

Assignees
No one assigned
Labels
backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. theme/envoy/xds Related to Envoy support theme/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zalimeni @hashi-derek