CVE-2020-15104

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.12.6 Envoy versions prior to 1.13.4 Envoy versions prior to 1.14.4 Envoy versions prior to 1.15.0

Description The issue arises when validating TLS certificates, where Envoy incorrectly allows a wildcard DNS Subject Alternative Name to apply to multiple subdomains. This defect affects both client TLS certificate validation in mTLS and server TLS certificate validation for upstream connections. The vulnerability is applicable in situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. Configurations using verify subject alt name in any Envoy version or match subject alt names in version 1.14 or later are vulnerable.

Recommendations For versions prior to 1.12.6, update to version 1.12.6 or later. For versions prior to 1.13.4, update to version 1.13.4 or later. For versions prior to 1.14.4, update to version 1.14.4 or later. For versions prior to 1.15.0, update to version 1.15.0 or later.