CNCF Envoy Incorrect Access Control Vulnerability in Secret Discovery Service Validation Context

A vulnerability exists in CNCF Envoy versions prior to 1.13.0, related to improper access control when using the Secret Discovery Service (SDS) with a combined validation context. This issue arises because the same secret, such as a trusted Certificate Authority (CA), can be applied across multiple resources. When this occurs, resources configured after the initial secret reception may not apply the 'static' validation context rules, leading to a bypass of important security checks. The flaw allows for unauthorized access to services or impersonation of services, potentially escalating privileges.

Impact

Exploitation of this vulnerability can lead to unauthorized access to services, impersonation of services, and escalation of privileges.

Remediation

Users can upgrade to Envoy versions 1.13.1 or 1.12.3, both of which contain the necessary fix. Instructions for upgrading can be found in the Envoy documentation.