Announcing Built On Envoy: Making Envoy Extensions Accessible to Everyone

Learn more

Istio%20and%20Envoy%20Security%20Advisories

September 29, 2020 — The Envoy Product Security Team (PST) announced the availability of a security fix and a series

Tetrate, Petr McAllister, Yaroslav Skopets and Tevah Platt
Istio%20and%20Envoy%20Security%20Advisories

September 29, 2020 — The Envoy Product Security Team (PST) announced  the availability of a security fix and a series of patches for Envoy versions 1.12,1.13, 1.14 and 1.15 to address two high-risk vulnerabilities related to header values and HTTP URL paths. In response to CVE-2020-25017. Additionally the Istio community recommends users to upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.

Users are encouraged to apply the related patches to address the following CVEs:

  • CVE-2020-25017 (CVSS score 8.3, High) Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Also, Envoy’s setCopy() header map API does not replace all existing occurrences of a non-inline header. See the Envoy GitHub advisory and Istio advisory for more details.
  • CVE-2020-25018 (CVSS score 7.5, High) Envoy master after 2d69e30 may fail to parse request URL that requires host canonicalization. The use of Internationalized Domain Name (IDN) as the host component in a request URL triggers the URL parser library used by Envoy to do Punycode encoding (to convert Unicode characters to ASCII). Since the conversion data is not available, it fails the conversion, which could result in executing code in faulting address (segmentation fault). See the GitHub advisory for more details.

Am I at Risk?

Envoy versions 1.15 or earlier deployments are vulnerable to CVE-2020-25017. Run `envoy –version` and if it indicates a base version of 1.15.0, 1.14.4, 1.13.4, 1.12.6 or older you are running a vulnerable version.

For Istio users – the affected versions are:

  • 1.6 to 1.6.10
  • 1.7 to 1.7.2

How do I fix it?

The Envoy security team has announced the availability of Envoy versions 1.15.1, 1.14.5, 1.13.6, and 1.12.7 to address the incorrect handling of duplicate HTTP headers (CVE-2020-25017). Users are encouraged to upgrade to these versions to fix the issue.

Including the 3b5acb2 commit, pushed into the main branch on Sept. 29, 2020 at 12 PDT, is encouraged to fix CVE-2020-25017. The vulnerability is not included in any Envoy releases and will not affect end-users who deployed the official Envoy release.

Istio users should upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.

If you’re a Tetrate Service Bridge customer, please review this issue with your Tetrate support contact if any changes in your environment are required.

This notice will be updated if further information becomes available for Envoy or Istio.

How do I patch?

Update to 1.15.1, 1.14.5, 1.13.6, or 1.12.7 via your Envoy distribution or rebuild from the Envoy GitHub source at the 1.15.1, 1.14.5, 1.13.6, or 1.12.7 tag or HEAD @ master.

For v1.15.1:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.15.1

Docker images: docker pull envoyproxy/envoy:v1.15.1

Text release notes can be found here

Expect a followup email tomorrow with links to release notes and docs for 1.15.1; 

For v1.14.5:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.14.5

Docker images: docker pull envoyproxy/envoy:v1.14.5

Release notes: https://www.envoyproxy.io/docs/envoy/v1.14.5/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.14.5/

For v1.13.6:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.13.6

Docker images: docker pull envoyproxy/envoy:v1.13.6

Release notes: https://www.envoyproxy.io/docs/envoy/v1.13.6/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.13.6/

For v1.12.7:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.12.7

Docker images: docker pull envoyproxy/envoy:v1.12.7

Release notes: https://www.envoyproxy.io/docs/envoy/v1.12.7/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.12.7/

Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

Tetrate, Petr McAllister, Yaroslav Skopets and Tevah Platt
Product background Product background for tablets
Building AI agents

Agent Router Enterprise provides managed LLM & MCP Gateways plus AI Guardrails in your dedicated instance. Graduate agents from prototype to production with consistent model access, governed tool use, and runtime supervision — built on Envoy AI Gateway by its creators.

  • LLM Gateway – Unified model catalog with automatic fallback across providers
  • MCP Gateway – Curated tool access with per-profile authentication and filtering
  • AI Guardrails – Enforce policies, prevent data loss, and supervise agent behavior
    • Learn more
    Replacing NGINX Ingress

    Tetrate Enterprise Gateway for Envoy (TEG) is the enterprise-ready replacement for NGINX Ingress Controller. Built on Envoy Gateway and the Kubernetes Gateway API, TEG delivers advanced traffic management, security, and observability without vendor lock-in.

  • 100% upstream Envoy Gateway – CVE-protected builds
  • Kubernetes Gateway API native – Modern, portable, and extensible ingress
  • Enterprise-grade support – 24/7 production support from Envoy experts
    • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network
    with more
    intelligence?