Impact
Denial of service (crash).
Affected components
Oauth2
Attack vector/s
If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.
Description
The OAuth filter assumes that a state query param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without the state parameter, will lead to abnormal termination of Envoy process.
Example exploit or proof-of-concept
If the redirect path looks like /oauth_redirect, sending a request to Envoy with the URI path /oauth_redirect and without specifying the state param will lead to a segmentation fault.
Mitigation
The issue can be mitigated by locking down OAuth traffic, disabling the filter or by filtering traffic before it reaches the OAuth filter (e.g. via a lua script).
Impact
Denial of service (crash).
Affected components
Oauth2
Attack vector/s
If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.
Description
The OAuth filter assumes that a
statequery param is present on any response that looks like an OAuth redirect response. Sending it a request with the URI path equivalent to the redirect path, without thestateparameter, will lead to abnormal termination of Envoy process.Example exploit or proof-of-concept
If the redirect path looks like
/oauth_redirect, sending a request to Envoy with the URI path/oauth_redirectand without specifying thestateparam will lead to a segmentation fault.Mitigation
The issue can be mitigated by locking down OAuth traffic, disabling the filter or by filtering traffic before it reaches the OAuth filter (e.g. via a lua script).