Envoy Proxy Fixes Two Zero Day vulnerabilities (UDP Proxy, TCP Proxy) - podcast episode cover

Envoy Proxy Fixes Two Zero Day vulnerabilities (UDP Proxy, TCP Proxy)

The Backend Engineering Show with Hussein Nasser
Nov 22, 20208 min
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

The Envoy Proxy fixed two zero day vulnerabilities, from Envoy groups :

We are announcing the fixes for two zero days that were identified today:

  1. Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: https://github.com/envoyproxy/envoy/pull/14122. This issue was already under embargo and a new issue was opened in public GitHub.
  2. Proxy proto downstream address not restored correctly for non-HTTP connectionshttps://github.com/envoyproxy/envoy/pull/14131. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for non-HTTP network connections.

Resources

https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0

0:00

0:20 UDP Proxy Crash

2:15 Incorrect Downstream Remote Address

For the best experience, listen in Metacast app for iOS or Android