If envoy is in your path, Simply run it!
$ envoy-cves
✔ Success! your envoy was tested and is immune to CVE-2019-9901. Make sure that the option normalize_path is turned on in your HCM settings.
✔ Success! your envoy was tested and is immune to CVE-2019-9900
If not, provide the path to envoy in a flag:
envoy-cves --envoy=/path/to/envoy
✘ Fail! your envoy did not normalize the path - it is vulnerable to CVE-2019-9901
✘ Fail! your envoy accepts nil in headers - it is vulnerable to CVE-2019-9900
This tool checks if envoy is vulnerable to CVE-2019-9900 and CVE-2019-9901 by sending envoy crafted inputs and analyizes how envoy responds to those input. Summarizing the results in a simple success\fail out.
The envoy-cves tool is a single static binary and can easily be used in a docker container. For example, to test the tool with the official envoy docker image, run this:
wget https://github.com/solo-io/envoy-cves/releases/download/v0.1.0/envoy-cves-linux
chmod +x envoy-cves
docker run -v $PWD/envoy-cves:/bin/envoy-cves --entrypoint=/bin/envoy-cves envoyproxy/envoy
We can copy and run inside a running kuberentes container:
kubectl -n gloo-system cp envoy-cves gateway-proxy-7f5dcc6c46-vp88v:/tmp/envoy-cves
kubectl -n gloo-system exec gateway-proxy-7f5dcc6c46-vp88v /tmp/envoy-cves
✔ Success! your envoy was tested and it is immune to CVE-2019-9901. Make sure the option normalize_path is turned on in your HCM settings.
✔ Success! your envoy was tested and it is immune to CVE-2019-9900