Skip to content

Disable remote proxy patching except AWS Lambda#17415

Merged
zalimeni merged 1 commit intomainfrom
zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda
May 23, 2023
Merged

Disable remote proxy patching except AWS Lambda#17415
zalimeni merged 1 commit intomainfrom
zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda

Conversation

@zalimeni
Copy link
Member

@zalimeni zalimeni commented May 19, 2023
edited
Loading

To avoid unintended tampering with remote downstreams via service config, refactor BasicEnvoyExtender and RuntimeConfig to disallow typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only Validate builtin extensions.

Addresses CVE-2023-2816.

Description

This change addresses CVE-2023-2816 and prevents future bugs by refactoring Envoy extender code and RuntimeConfig to:

  • Prevent all but specific allowed extensions (AWS Lambda and Validate pseudo-extension) from interacting w/ downstream proxies via upstream config.
  • Clearly disambiguate between the source of Envoy extension config (local or upstream) and Envoy resource traffic direction.

Testing & Reproduction steps

  • Manual verification of fix by attempted reproduction post-fix
  • Tests added and updated in this PR to guard intended behavior

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern (addresses existing security concern)

@github-actions github-actions bot added theme/api Relating to the HTTP API interface theme/envoy/xds Related to Envoy support labels May 19, 2023
@zalimeni zalimeni force-pushed the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch from 500c0fc to 5564260 Compare May 19, 2023 19:30
@zalimeni zalimeni added theme/security backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. and removed theme/api Relating to the HTTP API interface labels May 19, 2023
@zalimeni zalimeni force-pushed the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch from 5564260 to b5d084a Compare May 22, 2023 14:57
@zalimeni zalimeni marked this pull request as ready for review May 22, 2023 14:57
@zalimeni zalimeni requested review from cthain and erichaberkorn May 22, 2023 14:57
zalimeni
zalimeni commented May 22, 2023
View reviewed changes
.changelog/17415.txt Outdated
Comment on lines 1 to 7
Copy link
Member Author

@zalimeni zalimeni May 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've also seen xds: used often, but extensions: felt ideal if we're generally using that one.

Copy link
Member Author

@zalimeni zalimeni May 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @picatz and @hashicorp/consul-docs in case you have input on changelog (I'm happy to address after merge as well)

@zalimeni zalimeni removed the pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. label May 22, 2023
@zalimeni
Disable remote proxy patching except AWS Lambda
ba18381 
To avoid unintended tampering with remote downstreams via service
config, refactor BasicEnvoyExtender and RuntimeConfig to disallow
typical Envoy extensions from being applied to non-local proxies.

Continue to allow this behavior for AWS Lambda and the read-only
Validate builtin extensions.

Addresses CVE-2023-2816.
@zalimeni zalimeni force-pushed the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch from b5d084a to ba18381 Compare May 23, 2023 11:39
@zalimeni zalimeni enabled auto-merge (squash) May 23, 2023 11:49
@zalimeni zalimeni merged commit b8d2640 into main May 23, 2023
@zalimeni zalimeni deleted the zalimeni/net-3900-only-apply-remote-upstream-extension-aws-lambda branch May 23, 2023 11:55
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request May 23, 2023
Closed
4 tasks
@zalimeni zalimeni mentioned this pull request May 23, 2023
Merged
@zalimeni zalimeni mentioned this pull request May 31, 2023
Merged
4 tasks
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Jun 1, 2023
Closed
4 tasks
@p-linnane p-linnane mentioned this pull request Jun 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erichaberkorn erichaberkorn Awaiting requested review from erichaberkorn

@cthain cthain Awaiting requested review from cthain

1 more reviewer

@hashi-derek hashi-derek hashi-derek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/1.15 This release series is no longer active on CE. Use backport/ent/1.15. theme/envoy/xds Related to Envoy support theme/security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zalimeni @hashi-derek