CVE-2020-11767

Name of the Vulnerable Software and Affected Versions Istio versions 1.5.1 and earlier Envoy versions 1.14.1 and earlier

Description The issue concerns a data-leak problem where a TCP connection negotiated with SNI over HTTPS to *.example.com can lead to a request for a domain configured explicitly (e.g., abc.example.com) being sent to the server(s) listening behind *.example.com. This should result in a 421 Misdirected Request instead. In a scenario with a shared caching forward proxy reusing an HTTP/2 connection for a large subnet with many users, if a victim is interacting with abc.example.com and the server for abc.example.com recycles the TCP connection to the forward proxy, the victim's browser may start sending sensitive data to a *.example.com server. This occurs because the forward proxy reuses connections as per specification, but neither Istio nor Envoy corrects this by sending a 421 error, thus voiding the security model browsers have in place between domains.

Recommendations For Istio versions 1.5.1 and earlier, consider updating to a version that includes the fix for this issue. For Envoy versions 1.14.1 and earlier, consider updating to a version that includes the fix for this issue. As a temporary workaround, consider restricting the reuse of HTTP/2 connections in shared caching forward proxies to minimize the risk of data leakage.