CVE-2020-35470

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.16.1

Description The issue arises when Envoy logs an incorrect downstream address, considering only the directly connected peer and not the information in the proxy protocol header. This specifically affects situations where tcp-proxy is used as the network filter, excluding HTTP filters.

Recommendations For versions prior to 1.16.1, update to version 1.16.1 or later to resolve the issue. As a temporary workaround, consider configuring the logging mechanism to account for the proxy protocol header information until a patch is applied. Restrict access to the tcp-proxy network filter to minimize the risk of incorrect logging.