Add CVE-2019-18838 (#6051)

* Add CVE-2019-18838 * Make linter happy * Typos... * Apply suggestions from code review
2019-12-11 12:13:02 -08:00 · 2019-12-11 12:13:02 -08:00 · 004a4489e5
parent f89466b06f
commit 004a4489e5
5 changed files with 10 additions and 3 deletions
--- a/.spelling
+++ b/.spelling
@ -161,6 +161,7 @@ CVE-2019-15226
 CVE-2019-18801
 CVE-2019-18802
 CVE-2019-18817
+CVE-2019-18838
 CVE-2019-9512
 CVE-2019-9513
 CVE-2019-9514
@ -180,6 +181,7 @@ decapsulated
 Delayering
 Demailly
 deployment
+dereferenced
 deserialize
 deserializing
 dev
--- a/content/en/news/releases/1.2.x/announcing-1.2.10/index.md
+++ b/content/en/news/releases/1.2.x/announcing-1.2.10/index.md
@ -19,6 +19,7 @@ This release contains fixes for the security vulnerability described in [our Dec

 __[CVE-2019-18801](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801)__: Fix a vulnerability affecting Envoy's processing of large HTTP/2 request headers.  A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
 __[CVE-2019-18802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802)__: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio's policy checks, potentially resulting in information disclosure or escalation of privileges.
+__[CVE-2019-18838](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838)__: Fix a vulnerability resulting from malformed HTTP request missing the "Host" header. An encoder filter that invokes Envoy's route manager APIs that access request's "Host" header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.

 ## Bug fix

--- a/content/en/news/releases/1.3.x/announcing-1.3.6/index.md
+++ b/content/en/news/releases/1.3.x/announcing-1.3.6/index.md
@ -19,6 +19,7 @@ This release contains fixes for the security vulnerability described in [our Dec

 __[CVE-2019-18801](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801)__: Fix a vulnerability affecting Envoy's processing of large HTTP/2 request headers.  A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
 __[CVE-2019-18802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802)__: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio's policy checks, potentially resulting in information disclosure or escalation of privileges.
+__[CVE-2019-18838](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838)__: Fix a vulnerability resulting from malformed HTTP request missing the "Host" header. An encoder filter that invokes Envoy's route manager APIs that access request's "Host" header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.

 ## Bug fixes

--- a/content/en/news/releases/1.4.x/announcing-1.4.2/index.md
+++ b/content/en/news/releases/1.4.x/announcing-1.4.2/index.md
@ -19,3 +19,4 @@ This release contains fixes for the security vulnerability described in [our Dec

 __[CVE-2019-18801](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801)__: Fix a vulnerability affecting Envoy's processing of large HTTP/2 request headers.  A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
 __[CVE-2019-18802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802)__: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio's policy checks, potentially resulting in information disclosure or escalation of privileges.
+__[CVE-2019-18838](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838)__: Fix a vulnerability resulting from malformed HTTP request missing the "Host" header. An encoder filter that invokes Envoy's route manager APIs that access request's "Host" header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.
--- a/content/en/news/security/istio-security-2019-007/index.md
+++ b/content/en/news/security/istio-security-2019-007/index.md
@ -19,14 +19,16 @@ Envoy, and subsequently Istio are vulnerable to two newly discovered vulnerabili

 * __[CVE-2019-18802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802)__: HTTP/1 codec incorrectly fails to trim whitespace after header values. This could allow an attacker to bypass Istio's policy either for information disclosure or escalation of privileges.

+* __[CVE-2019-18838](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18838)__: Upon receipt of a malformed HTTP request without the "Host" header, an encoder filter invoking Envoy's route manager APIs that access request's "Host" header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.
+
 ## Impact and detection

 Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases where downstream's requests are HTTP/2 while upstream's are HTTP/1, then your cluster is vulnerable.  We expect this to be true of most clusters.

 ## Mitigation

-* For Istio 1.2.x deployments: update to a [Istio 1.2.10](/news/releases/1.2.x/announcing-1.2.10) or later.
-* For Istio 1.3.x deployments: update to a [Istio 1.3.6](/news/releases/1.3.x/announcing-1.3.6) or later.
-* For Istio 1.4.x deployments: update to a [Istio 1.4.2](/news/releases/1.4.x/announcing-1.4.2) or later.
+* For Istio 1.2.x deployments: update to [Istio 1.2.10](/news/releases/1.2.x/announcing-1.2.10) or later.
+* For Istio 1.3.x deployments: update to [Istio 1.3.6](/news/releases/1.3.x/announcing-1.3.6) or later.
+* For Istio 1.4.x deployments: update to [Istio 1.4.2](/news/releases/1.4.x/announcing-1.4.2) or later.

 {{< boilerplate "security-vulnerability" >}}