Headline
CVE-2022-29226: oauth2: do not blindly accept requests with a token in the Authorizat… · envoyproxy/envoy@7ffda4e
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. Users are advised to upgrade. There is no known workaround for this issue.
@@ -95,7 +95,7 @@ class OAuth2Test : public testing::Test { }
// Set up proto fields with standard config. FilterConfigSharedPtr getConfig() { FilterConfigSharedPtr getConfig(bool forward_bearer_token = true) { envoy::extensions::filters::http::oauth2::v3::OAuth2Config p; auto* endpoint = p.mutable_token_endpoint(); endpoint->set_cluster(“auth.example.com”); @@ -105,7 +105,7 @@ class OAuth2Test : public testing::Test { p.mutable_redirect_path_matcher()->mutable_path()->set_exact(TEST_CALLBACK); p.set_authorization_endpoint(“https://auth.example.com/oauth/authorize/”); p.mutable_signout_path()->mutable_path()->set_exact(“/_signout”); p.set_forward_bearer_token(true); p.set_forward_bearer_token(forward_bearer_token); p.add_auth_scopes(“user”); p.add_auth_scopes(“openid”); p.add_auth_scopes(“email”); @@ -422,6 +422,50 @@ TEST_F(OAuth2Test, OAuthOkPass) { EXPECT_EQ(scope_.counterFromString(“test.oauth_success”).value(), 1); }
/** * Scenario: The OAuth filter receives a request to an arbitrary path with valid OAuth cookies * (cookie values and validation are mocked out), but with an invalid token in the Authorization * header and forwarding bearer token is disabled. * * Expected behavior: the filter should sanitize the Authorization header and let the request * proceed. */ TEST_F(OAuth2Test, OAuthOkPassButInvalidToken) { init(getConfig(false /* forward_bearer_token */));
Http::TestRequestHeaderMapImpl mock_request_headers{ {Http::Headers::get().Path.get(), "/anypath"}, {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, {Http::Headers::get().Scheme.get(), "https"}, {Http::CustomHeaders::get().Authorization.get(), "Bearer injected_malice!"}, };
Http::TestRequestHeaderMapImpl expected_headers{ {Http::Headers::get().Path.get(), "/anypath"}, {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, {Http::Headers::get().Scheme.get(), "https"}, };
// cookie-validation mocking EXPECT_CALL(*validator_, setParams(_, _)); EXPECT_CALL(*validator_, isValid()).WillOnce(Return(true));
// Sanitized return reference mocking std::string legit_token{"legit_token"}; EXPECT_CALL(*validator_, token()).WillRepeatedly(ReturnRef(legit_token));
EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(mock_request_headers, false));
// Ensure that existing OAuth forwarded headers got sanitized. EXPECT_EQ(mock_request_headers, expected_headers);
EXPECT_EQ(scope_.counterFromString(“test.oauth_failure”).value(), 0); EXPECT_EQ(scope_.counterFromString(“test.oauth_success”).value(), 1); }
/** * Scenario: The OAuth filter receives a request without valid OAuth cookies to a non-callback URL * (indicating that the user needs to re-validate cookies or get 401’d). @@ -790,63 +834,41 @@ TEST_F(OAuth2Test, OAuthTestFullFlowPostWithParameters) {
EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&second_response_headers), true)); EXPECT_CALL(decoder_callbacks_, continueDecoding());
filter_->finishFlow(); }
TEST_F(OAuth2Test, OAuthBearerTokenFlowFromHeader) { Http::TestRequestHeaderMapImpl request_headers_before{ {Http::Headers::get().Path.get(), "/test?role=bearer"}, {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, {Http::Headers::get().Scheme.get(), "https"}, {Http::CustomHeaders::get().Authorization.get(), "Bearer xyz-header-token"}, }; // Expected decoded headers after the callback & validation of the bearer token is complete. Http::TestRequestHeaderMapImpl request_headers_after{ Http::TestRequestHeaderMapImpl request_headers{ {Http::Headers::get().Path.get(), "/test?role=bearer"}, {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, {Http::Headers::get().Scheme.get(), "https"}, {Http::CustomHeaders::get().Authorization.get(), "Bearer xyz-header-token"}, };
// Fail the validation to trigger the OAuth flow. // Fail the validation. EXPECT_CALL(*validator_, setParams(_, _)); EXPECT_CALL(*validator_, isValid()).WillOnce(Return(false));
EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_before, false));
// Finally, expect that the header map had OAuth information appended to it. EXPECT_EQ(request_headers_before, request_headers_after); EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers, false)); }
TEST_F(OAuth2Test, OAuthBearerTokenFlowFromQueryParameters) { Http::TestRequestHeaderMapImpl request_headers_before{ {Http::Headers::get().Path.get(), "/test?role=bearer&token=xyz-queryparam-token"}, {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, {Http::Headers::get().Scheme.get(), "https"}, }; Http::TestRequestHeaderMapImpl request_headers_after{ Http::TestRequestHeaderMapImpl request_headers{ {Http::Headers::get().Path.get(), "/test?role=bearer&token=xyz-queryparam-token"}, {Http::Headers::get().Host.get(), "traffic.example.com"}, {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, {Http::Headers::get().Scheme.get(), "https"}, {Http::CustomHeaders::get().Authorization.get(), "Bearer xyz-queryparam-token"}, };
// Fail the validation to trigger the OAuth flow. // Fail the validation. EXPECT_CALL(*validator_, setParams(_, _)); EXPECT_CALL(*validator_, isValid()).WillOnce(Return(false));
EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_before, false));
// Expected decoded headers after the callback & validation of the bearer token is complete. EXPECT_EQ(request_headers_before, request_headers_after); EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers, false)); }
} // namespace Oauth2
Related news
Red Hat Security Advisory 2022-5004-01 - Red Hat OpenShift Service Mesh is a Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5006-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a traversal vulnerability.
Red Hat OpenShift Service Mesh 2.1.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar
Red Hat OpenShift Service Mesh 2.1.3 has been released. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23772: golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString * CVE-2022-23773: golang: cmd/go: misinterpretation of branch names can lead to incorrect access control * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-29224: envoy: Segfault in GrpcHealthCheckerImpl * CVE-2022...