CVE-2019-18838 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-18838 Interim 1 12 2023-06-25T23:47:45Z current 2021-05-30T14:33:02Z 2023-06-25T23:47:45Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-18838 An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed HTTP request without a Host header, it sends an internally generated "Invalid request" response. This internally generated response is dispatched through the configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access a request's Host header causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2020-June/006950.html E-Mail link for SUSE-CU-2020:196-1 https://lists.suse.com/pipermail/sle-security-updates/2020-June/006952.html E-Mail link for SUSE-CU-2020:198-1 https://lists.suse.com/pipermail/sle-security-updates/2020-June/006954.html E-Mail link for SUSE-CU-2020:200-1 https://lists.suse.com/pipermail/sle-security-updates/2020-June/006955.html E-Mail link for SUSE-CU-2020:201-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007995.html E-Mail link for SUSE-CU-2020:789-1 https://lists.suse.com/pipermail/sle-security-updates/2020-December/007998.html E-Mail link for SUSE-CU-2020:793-1 https://lists.suse.com/pipermail/sle-security-updates/2020-June/006902.html E-Mail link for SUSE-SU-2020:1573-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container caasp/v4/cert-exporter:2.3.0 Container caasp/v4/cilium-operator:1.6.6 Container caasp/v4/cilium:1.6.6 Container caasp/v4/hyperkube:v1.17.17 Container caasp/v4/kured:1.3.0 Container caasp/v4/metrics-server:0.3.6 SUSE CaaS Platform 4.0 bpftool-4.12.14-1.3.8.3 caasp-release-4.2.1-24.23.4 cert-exporter-2.3.0-1.3.4 cilium-1.6.6-3.3.8 cilium-cni-1.6.6-3.3.8 cilium-operator-1.6.6-3.3.8 cilium-proxy-20200109-3.3.11.1 iproute2-5.3-3.3.5 kured-1.3.0-4.17.5 libdd_opentracing0-1.0.1-3.7.3 libfmt6-6.1.2-3.3.5 libsqlparser1-1.5+git20181206-1.6.6 libxxhash0-0.7.1-3.3.4 metrics-server-0.3.6-1.3.4 skuba-1.3.5-3.39.1 skuba-update-1.3.5-3.39.1 terraform-provider-vsphere-1.17.3-3.3.4 cert-exporter-2.3.0-1.3.4 as a component of Container caasp/v4/cert-exporter:2.3.0 cilium-operator-1.6.6-3.3.8 as a component of Container caasp/v4/cilium-operator:1.6.6 bpftool-4.12.14-1.3.8.3 as a component of Container caasp/v4/cilium:1.6.6 cilium-1.6.6-3.3.8 as a component of Container caasp/v4/cilium:1.6.6 cilium-cni-1.6.6-3.3.8 as a component of Container caasp/v4/cilium:1.6.6 cilium-proxy-20200109-3.3.11.1 as a component of Container caasp/v4/cilium:1.6.6 iproute2-5.3-3.3.5 as a component of Container caasp/v4/cilium:1.6.6 libdd_opentracing0-1.0.1-3.7.3 as a component of Container caasp/v4/cilium:1.6.6 libfmt6-6.1.2-3.3.5 as a component of Container caasp/v4/cilium:1.6.6 libsqlparser1-1.5+git20181206-1.6.6 as a component of Container caasp/v4/cilium:1.6.6 libxxhash0-0.7.1-3.3.4 as a component of Container caasp/v4/cilium:1.6.6 iproute2-5.3-3.3.5 as a component of Container caasp/v4/hyperkube:v1.17.17 kured-1.3.0-4.17.5 as a component of Container caasp/v4/kured:1.3.0 metrics-server-0.3.6-1.3.4 as a component of Container caasp/v4/metrics-server:0.3.6 caasp-release-4.2.1-24.23.4 as a component of SUSE CaaS Platform 4.0 skuba-1.3.5-3.39.1 as a component of SUSE CaaS Platform 4.0 skuba-update-1.3.5-3.39.1 as a component of SUSE CaaS Platform 4.0 terraform-provider-vsphere-1.17.3-3.3.4 as a component of SUSE CaaS Platform 4.0 An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed HTTP request without a Host header, it sends an internally generated "Invalid request" response. This internally generated response is dispatched through the configured encoder filter chain before being sent to the client. An encoder filter that invokes route manager APIs that access a request's Host header causes a NULL pointer dereference, resulting in abnormal termination of the Envoy process. CVE-2019-18838 Container caasp/v4/cert-exporter:2.3.0:cert-exporter-2.3.0-1.3.4 Container caasp/v4/cilium-operator:1.6.6:cilium-operator-1.6.6-3.3.8 Container caasp/v4/cilium:1.6.6:bpftool-4.12.14-1.3.8.3 Container caasp/v4/cilium:1.6.6:cilium-1.6.6-3.3.8 Container caasp/v4/cilium:1.6.6:cilium-cni-1.6.6-3.3.8 Container caasp/v4/cilium:1.6.6:cilium-proxy-20200109-3.3.11.1 Container caasp/v4/cilium:1.6.6:iproute2-5.3-3.3.5 Container caasp/v4/cilium:1.6.6:libdd_opentracing0-1.0.1-3.7.3 Container caasp/v4/cilium:1.6.6:libfmt6-6.1.2-3.3.5 Container caasp/v4/cilium:1.6.6:libsqlparser1-1.5+git20181206-1.6.6 Container caasp/v4/cilium:1.6.6:libxxhash0-0.7.1-3.3.4 Container caasp/v4/hyperkube:v1.17.17:iproute2-5.3-3.3.5 Container caasp/v4/kured:1.3.0:kured-1.3.0-4.17.5 Container caasp/v4/metrics-server:0.3.6:metrics-server-0.3.6-1.3.4 SUSE CaaS Platform 4.0:caasp-release-4.2.1-24.23.4 SUSE CaaS Platform 4.0:skuba-1.3.5-3.39.1 SUSE CaaS Platform 4.0:skuba-update-1.3.5-3.39.1 SUSE CaaS Platform 4.0:terraform-provider-vsphere-1.17.3-3.3.4 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H