QID 981425
QID 981425: Go (go) Security Update for github.com/projectcontour/contour (GHSA-5ph6-qq5x-7jwc)
Security update has been released for github.com/projectcontour/contour to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Josh Ferrell (@josh-ferrell) from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets.
Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above.
It is addressed in two ways:
- disabling ExternalName type Services by default
- When ExternalName Services are enabled, block obvious "localhost" entries.Workaround:
Not easily. It's not possible to control the creation of ExternalName Services with RBAC without the use of Gatekeeper or other form of admission control, and the creation of services is required for Contour to actually work for application developer personas.
- GHSA-5ph6-qq5x-7jwc -
github.com/advisories/GHSA-5ph6-qq5x-7jwc
CVEs related to QID 981425
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-5ph6-qq5x-7jwc | github.com/projectcontour/contour |
github.com/advisories/GHSA-5ph6-qq5x-7jwc |