Summary

A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs.

This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME field for access loggers.

PoC

In our default access log format, the primary arbitrary input fields are headers.

REQUESTED_SERVER_NAME also can take arbitrary inputs and has no validation in Envoy at all (despite the RFC being pretty strict).

Further, this is externally exploitable as will be logged in majority of cases, even if RBAC denies.

An example exploit:

blue='\e[0;34m'
x=$(echo -e $blue)
client https://10.36.1.114/ --server-name "[foo.com](http://foo.com/)${x}this is blue
end<script>alert()</script>
[2022-01-05T17:14:26.823Z] fake log"

This has 3 in one:

• Inject ANSI escape characters. Here it makes kubectl logs return blue text; cursor movement is also possible. Above probably only works on zsh, but others support them as well with different syntax. Cursor movement allows deleting logs, masking an attack
• Inject HTML - I don't know of any log viewers that are subject to this, but its plausible.
• Inject new lines, which allows inject fake logs

Impact

Log injection to our system will cause multiple unexpected problems