OpenShift Service Mesh Log Injection Vulnerability via HTTP Header Manipulation

A log injection vulnerability has been identified in OpenShift Service Mesh versions 2.6.3 and 2.5.6. This issue stems from improper sanitization of HTTP headers by Envoy, particularly the x-forwarded-for header. The vulnerability allows attackers to inject malicious payloads into service mesh logs, leading to log injection and spoofing attacks. Such injections can disrupt logging mechanisms, enabling manipulation of log entries or execution of reflected cross-site scripting (XSS) attacks.

Impact

Exploitation of this vulnerability allows for log injection and spoofing, with the potential to mislead logging mechanisms and manipulate log entries. Additionally, it could enable reflected cross-site scripting (XSS) attacks.

Remediation

To address this vulnerability, it is recommended to filter potentially malicious headers, including the x-forwarded-for header, by using the 'request_headers_to_remove' configuration. Additionally, in untrusted environments, the x-forwarded-for header should be disregarded in favor of the downstream real address. This can be configured by setting 'xff_num_trusted_hops' to 0 and 'use_remote_address' to true.