Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

Envoy CVE security fixes for GetEnvoy

The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP U

Envoy%20CVE%20security%20fixes%20for%20GetEnvoy

The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.

We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:

  • CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
  • CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.

Am I at Risk?

Not all Envoy users will be directly impacted by these vulnerabilities. Envoy configurations are most vulnerable if headers are used for access control and routing or if path-based access control or routing is used for deployments.

If you’re running GetEnvoy, upgrade GetEnvoy to the last version and run:

getenvoy verify

to see if your installed Envoy contains the security fixes. If yours doesn’t, please run:

getenvoy fetch

to get the latest build from us.

More recent versions will still be vulnerable to CVE-2019-9901 if they do not enable path normalization via either the HTTP Connection Manager configuration HttpConnectionManager.normalize_path field or the http_connection_manager.normalize_path runtime option.

  • CVE-2019-9900: Those most likely to be affected will have HTTP/1.1 traffic from untrusted endpoints and will make use of header-based matching for access control or routing (including ext_authz, rate limiting service, and similar inbuilt filters).
  • CVE-2019-9901: Any deployment that uses path-based access control or routing is likely affected, in particular where routing decisions are intended to block or allow access (e.g. disabling an /admin handler). This will also depend on upstream path normalization semantics. If you use Envoy’s RBAC or ext_authz filter, together with prefix path matching or suffix header matching, it is likely that you are directly affected. If you have custom filters that rely on the request path or headers, you will need to perform additional risk assessment.

How do I mitigate?

See mitigation details in Envoy’s documentation on CVE-2019-9900 and CVE-2019-9901.

How do I upgrade?

To get our latest release, run

getenvoy fetch

In addition to upgrading, it is necessary to enable path normalization via either the HTTP Connection Manager configuration HttpConnectionManager.normalize_path field or the http_connection_manager.normalize_path runtime option to mitigate CVE-2019-9901.

Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
  • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
  • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network

    with more
    intelligence?