Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.

Details

When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This CVE will validate all additional and original addresses are IP addresses.

PoC

- clusterName: outbound|80||echo.default.svc.cluster.local
  endpoints:
  - lbEndpoints:
    - endpoint:
        additionalAddresses:
        - address:
            envoyInternalAddress:
              endpointId: '[fd00:10:244::10]:80'
              serverListenerName: connect_originate
        address:
          envoyInternalAddress:
            endpointId: [10.244.0.16:80](http://10.244.0.16/)
            serverListenerName: connect_originate
        healthCheckConfig: {}
      healthStatus: HEALTHY
      loadBalancingWeight: 1
      metadata:
        filterMetadata:
          envoy.filters.listener.original_dst:
            local: [10.244.0.16:80](http://10.244.0.16/)
          envoy.transport_socket_match:
            tunnel: http
          istio:
            workload: echo;default;echo;;Kubernetes
    loadBalancingWeight: 1
    locality: {}
  policy:
    overprovisioningFactor: 140

Mitigation

Disable Happy Eyeballs
Change the IP configuration

Impact

It will crash envoy.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.

Package

Affected versions

Patched versions

Description

Details

PoC

Mitigation

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits