Summary
Calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter.
Details
The crashing function is Utility::getAddressWithPort. The crash occurs if a string containing a scoped IPv6 address is passed to this function.
This vulnerability affects:
- The original src filter: If the filter is configured and the original source is a scoped IPv6 address, it will cause a crash.
- DNS response address resolution: If a DNS response contains a scoped IPv6 address, this will also trigger the crash.
PoC
To reproduce the vulnerability:
- Method A (Original Src Filter): Configure the
original src filter in Envoy and provide a scoped IPv6 address as the original source.
- Method B (DNS Resolution): Trigger a DNS resolution process within Envoy where the DNS response contains a scoped IPv6 address.
Impact
This is a Denial of Service (DoS) vulnerability. It impacts users who have the original src filter configured or whose Envoy instances resolve addresses from DNS responses that may contain scoped IPv6 addresses.
antoniovleonti Reporter
agrawroh Remediation developer
botengyao Remediation reviewer
phlax Coordinator
Summary
Calling
Utility::getAddressWithPortwith a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter.Details
The crashing function is
Utility::getAddressWithPort. The crash occurs if a string containing a scoped IPv6 address is passed to this function.This vulnerability affects:
PoC
To reproduce the vulnerability:
original srcfilter in Envoy and provide a scoped IPv6 address as the original source.Impact
This is a Denial of Service (DoS) vulnerability. It impacts users who have the
original srcfilter configured or whose Envoy instances resolve addresses from DNS responses that may contain scoped IPv6 addresses.