Summary
CORS filter will segfault and crash Envoy when the origin header is removed and deleted between decodeHeadersand encodeHeaders.
Affected components
HTTP CORS filter
Details
In the CORS filter's decodeHeaders method, a pointer to the origin header is captured. If the origin header is configured to be removed, a segfault crash will occur when the pointer is used again in encodeHeaders since it has been dereferenced.
PoC
Impact
There will be a segfault crash in the CORS filter
Mitigation
Not removing the origin header in Envoy configuration
Detection
Crashes in CORS filter.
botengyao Coordinator
KBaichoo Remediation developer
paul-r-gall Analyst
phlax Coordinator
nezdolik Remediation developer
Summary
CORS filter will segfault and crash Envoy when the
originheader is removed and deleted betweendecodeHeadersandencodeHeaders.Affected components
HTTP CORS filter
Details
In the CORS filter's
decodeHeadersmethod, a pointer to theoriginheader is captured. If theoriginheader is configured to be removed, a segfault crash will occur when the pointer is used again inencodeHeaderssince it has been dereferenced.PoC
originheader is configured to be removed withrequest_headers_to_remove: origin,https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto
decodeHeadersstores the pointer oforigin, and then the header is removed.encodeHeaderin CORS filter.Impact
There will be a segfault crash in the CORS filter
Mitigation
Not removing the
originheader in Envoy configurationDetection
Crashes in CORS filter.