forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
1.21.3.yaml
19 lines (17 loc) · 1.76 KB
/
1.21.3.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
date: June 9, 2022
bug_fixes:
- area: decompression
change: |
fixed CVE-2022-29225 due to which decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the ``envoy.reloadable_features.enable_compression_bomb_protection`` runtime flag.
- area: health_check
change: |
fixed CVE-2022-29224 which caused a segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
- area: oauth
change: |
fixed CVE-2022-29226 due to which oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
- area: oauth
change: |
fixed CVE-2022-29228 due to which oauth filter calls continueDecoding() from within decodeHeaders(). The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.
- area: router
change: |
fixed CVE-2022-29227 which caused an internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply.