GHSA-22xc-xg2r-9j7v
Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode
상세
### Impact When Envoy Gateway runs in GatewayNamespaceMode (`provider.kubernetes.deploy.type=GatewayNamespace`), the xDS gRPC server is configured with a `StreamInterceptor` for JWT authentication but no UnaryInterceptor. The go-control-plane xDS server exposes both streaming and unary (Fetch) RPC methods for all registered discovery services. Since there is no unary interceptor, these Fetch endpoints are completely unauthenticated.
Additionally, the JWT authentication interceptor in GatewayNamespaceMode only validates tokens when the received gRPC message is of type `discoveryv3.DeltaDiscoveryRequest` . If the message is a `discoveryv3.DiscoveryRequest` — used by the State-of-the-World (SotW) xDS protocol — the type assertion fails, the validation block is skipped entirely, and RecvMsg returns nil (success) without any authentication.
Any pod in the cluster that can reach the xDS server (port 18000) can use the SotW protocol to bypass JWT authentication and access:
* TLS private keys via StreamSecrets (SDS) * All xDS resources via StreamAggregatedResources (ADS) * Backend endpoints via StreamClusters / StreamEndpoints (CDS/EDS) * Routing rules via StreamRoutes / StreamListeners (RDS/LDS)
### Credits
Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
1.8.0-rc.0 수정 버전: 1.8.1 go get github.com/envoyproxy/gateway@v1.8.1 0 수정 버전: 1.7.4 go get github.com/envoyproxy/gateway@v1.7.4