https://security.netapp.com/advisory/ntap-20211008-0006/

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9546 advisory.

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions when ext-authz extension is sending request headers to the external     authorization service it must merge multiple value headers according to the HTTP spec. However, only the     last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers     may be able to escalate privileges when using ext-authz extension or back end service that uses multiple     value headers for authorization. A specifically constructed request may be delivered by an untrusted     downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5     contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending     request for authorization. (CVE-2021-32777)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it     receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING     when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving     these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid     state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream     server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions     1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the     CLOSED state. (CVE-2021-32780)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions after Envoy sends a locally generated response it must stop further     processing of request or response data. However when local response is generated due the internal buffer     overflow while request or response is processed by the filter chain the operation may not be stopped     completely and result in accessing a freed memory block. A specifically constructed request delivered by     an untrusted downstream or upstream peer in the presence of extensions that modify and increase the size     of request or response bodies resulting in a Denial of Service when using extensions that modify and     increase the size of request or response bodies, such as decompressor filter. Envoy versions 1.19.1,     1.18.4, 1.17.4, 1.16.5 contain fixes to address incomplete termination of request processing after locally     generated response. As a workaround disable Envoy's decompressor, json-transcoder or grpc-web extensions     or proprietary extensions that modify and increase the size of request or response bodies, if feasible.
    (CVE-2021-32781)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the     path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an     explicit case of a final /admin path element, or is using a negative assertion with final path element     of /admin. The client sends request to /app1/admin#foo. In Envoy prior to 1.18.0, or 1.18.0+     configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when     present, or as a suffix of the path when query string is absent, so it evaluates the final path element as     /admin#foo and mismatches with the configured /admin path element. In Envoy 1.18.0+ configured with     path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured     /admin prefix. The resulting URI is sent to the next server-agent with the offending #foo fragment which     violates RFC3986 or with the nonsensical %23foo text appended. A specifically constructed request with     URI containing '#fragment' element delivered by an untrusted client in the presence of path based request     authorization resulting in escalation of Privileges when path based request authorization extensions.
    Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in     incoming requests. (CVE-2021-32779)

  - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath     volume mounts to access files & directories outside of the volume, including on the host filesystem.
    (CVE-2021-25741)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions envoy's procedure for resetting a HTTP/2 stream has O(N^2) complexity,     leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to     Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing     to exploit this vulnerability would require a client opening and closing a large number of H/2 streams.
    Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2     streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and     downstream peers to a low number, i.e. 100. (CVE-2021-32778)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9526 advisory.

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions when ext-authz extension is sending request headers to the external     authorization service it must merge multiple value headers according to the HTTP spec. However, only the     last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers     may be able to escalate privileges when using ext-authz extension or back end service that uses multiple     value headers for authorization. A specifically constructed request may be delivered by an untrusted     downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5     contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending     request for authorization. (CVE-2021-32777)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it     receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING     when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving     these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid     state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream     server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions     1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the     CLOSED state. (CVE-2021-32780)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions after Envoy sends a locally generated response it must stop further     processing of request or response data. However when local response is generated due the internal buffer     overflow while request or response is processed by the filter chain the operation may not be stopped     completely and result in accessing a freed memory block. A specifically constructed request delivered by     an untrusted downstream or upstream peer in the presence of extensions that modify and increase the size     of request or response bodies resulting in a Denial of Service when using extensions that modify and     increase the size of request or response bodies, such as decompressor filter. Envoy versions 1.19.1,     1.18.4, 1.17.4, 1.16.5 contain fixes to address incomplete termination of request processing after locally     generated response. As a workaround disable Envoy's decompressor, json-transcoder or grpc-web extensions     or proprietary extensions that modify and increase the size of request or response bodies, if feasible.
    (CVE-2021-32781)

  - Envoy is an open source L7 proxy and communication bus designed for large modern service oriented     architectures. In affected versions envoy incorrectly handled a URI '#fragment' element as part of the     path element. Envoy is configured with an RBAC filter for authorization or similar mechanism with an     explicit case of a final /admin path element, or is using a negative assertion with final path element     of /admin. The client sends request to /app1/admin#foo. In Envoy prior to 1.18.0, or 1.18.0+     configured with path_normalization=false. Envoy treats fragment as a suffix of the query string when     present, or as a suffix of the path when query string is absent, so it evaluates the final path element as     /admin#foo and mismatches with the configured /admin path element. In Envoy 1.18.0+ configured with     path_normalization=true. Envoy transforms this to /app1/admin%23foo and mismatches with the configured     /admin prefix. The resulting URI is sent to the next server-agent with the offending #foo fragment which     violates RFC3986 or with the nonsensical %23foo text appended. A specifically constructed request with     URI containing '#fragment' element delivered by an untrusted client in the presence of path based request     authorization resulting in escalation of Privileges when path based request authorization extensions.
    Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes that removes fragment from URI path in     incoming requests. (CVE-2021-32779)

  - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath     volume mounts to access files & directories outside of the volume, including on the host filesystem.
    (CVE-2021-25741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the kubernetes package has been released.

  - A security issue was discovered in Kubernetes where a user may be able to create a container with subpath     volume mounts to access files & directories outside of the volume, including on the host filesystem.
    (CVE-2021-25741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2021:3631 advisory.

  - kubernetes: Symlink exchange can allow host filesystem access (CVE-2021-25741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:3646 advisory.

  - kubernetes: Symlink exchange can allow host filesystem access (CVE-2021-25741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
155011	Oracle Linux 8 : olcne / istio / istio / kubernetes (ELSA-2021-9546)	Nessus	Oracle Linux Local Security Checks	high
154970	Oracle Linux 7 : olcne (ELSA-2021-9526)	Nessus	Oracle Linux Local Security Checks	high
153927	Photon OS 4.0: Kubernetes PHSA-2021-4.0-0112	Nessus	PhotonOS Local Security Checks	high
153834	RHEL 7 : OpenShift Container Platform 4.8.13 (RHSA-2021:3631)	Nessus	Red Hat Local Security Checks	high
153833	RHEL 7 : OpenShift Container Platform 3.11.524 (RHSA-2021:3646)	Nessus	Red Hat Local Security Checks	high
153756	Photon OS 2.0: Kubernetes PHSA-2021-2.0-0394	Nessus	PhotonOS Local Security Checks	high
153753	Photon OS 3.0: Kubernetes PHSA-2021-3.0-0303	Nessus	PhotonOS Local Security Checks	high
153690	Photon OS 1.0: Kubernetes PHSA-2021-1.0-0435	Nessus	PhotonOS Local Security Checks	high

CVE-2021-25741

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high