github.com/projectcontour/contour

CVE-2021-32783

CVE-2021-32783 is a high-severity security vulnerability in github.com/projectcontour/contour (go), affecting versions < 1.14.2. It is fixed in 1.14.2, 1.15.2, 1.16.1, 1.17.1.

Key facts
CVSS score
8.5
High
Attack vector
Network
Issuing authority
GitHub Advisory Database
Affected package
github.com/projectcontour/contour
Fixed in
1.14.2, 1.15.2, 1.16.1, 1.17.1
Disclosed
2021

Summary

Impact Josh Ferrell (@josh-ferrell) from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it cannot be used to get the content of those secrets. Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above. Patches The issue will be addressed in the forthcoming Contour v1.18.0 and a patch release, v1.17.1, has been released in the meantime. It is addressed in two ways: disabling ExternalName type Services by default When ExternalName Services are enabled, block obvious "localhost" entries. Disable ExternalName type Services by default This change prohibits processing of ExternalName services unless the cluster operator specifically allows them using the new --enable-externalname flag or equivalent configuration file setting. This is a breaking change for previous versions of Contour, which is unfortunate, but necessary because of the severity of the information exposed in this advisory. Block obvious localhost entries for enabled ExternalName Services As part of this change set, we have added a filter in the event that operators do enable ExternalName Services, such that obvious localhost entries are rejected by Contour. There are a number of problems with this method, however: This is a porous control. As long as you control a domain name, it's trivially easy to add a DNS entry for any name you like that redirects to 127.0.0.1 or ::1. Contour even provides local.projectcontour.io ourselves for testing and example purposes. (This name is, of course, included in the "obvious localhost entries" list.) So we can never totally stop this exploit as long as the admin interface is accessible on localhost, which, according to envoyproxy/envoy#2763, will be for some time if not forever. The best we can do is block some obvious elements, but this is always a risk for a motivated attacker. We've actually suggested using localhost ExternalName Services in the past, to allow people to connect to sidecar External Authentication services in their cluster. Both of these changes break this use-case, but given that it's about something that has security requirements high enough to require authentication, it's important to ensure that people are opting in. For the External Auth sidecar case, we are investigating an update to ExtensionService that will help with the sidecar use case. Workarounds Not easily. It's not possible to control the creation of ExternalName Services with RBAC without the use of Gatekeeper or other form of admission control, and the creation of services is required for Contour to actually work for application developer personas. For more information Exploit code will be published at a later date for this vulnerability, once our users have had a chance to upgrade.

Impact

Severity and exposure

CVE-2021-32783 has a CVSS score of 8.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.

A fixed version is available (1.14.2, 1.15.2, 1.16.1, 1.17.1). Upgrading removes the vulnerable code path.

Affected versions

go

  • github.com/projectcontour/contour (< 1.14.2)
  • github.com/projectcontour/contour (>= 1.15.0, < 1.15.2)
  • github.com/projectcontour/contour (= 1.16.0)
  • github.com/projectcontour/contour (= 1.17.0)

Security releases

  • github.com/projectcontour/contour → 1.14.2 (go)
  • github.com/projectcontour/contour → 1.15.2 (go)
  • github.com/projectcontour/contour → 1.16.1 (go)
  • github.com/projectcontour/contour → 1.17.1 (go)
Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.

Kodem's runtime-powered SCA identifies whether CVE-2021-32783 is reachable in your applications. Explore open-source security for your team.

See if CVE-2021-32783 is reachable in your applications. Get a demo

Already deployed Kodem? See CVE-2021-32783 in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

  • Upgrade github.com/projectcontour/contour to 1.14.2 or later
  • Upgrade github.com/projectcontour/contour to 1.15.2 or later
  • Upgrade github.com/projectcontour/contour to 1.16.1 or later
  • Upgrade github.com/projectcontour/contour to 1.17.1 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently asked questions about CVE-2021-32783

What is CVE-2021-32783?

CVE-2021-32783 is a high-severity security vulnerability in github.com/projectcontour/contour (go), affecting versions < 1.14.2. It is fixed in 1.14.2, 1.15.2, 1.16.1, 1.17.1.

How severe is CVE-2021-32783?

CVE-2021-32783 has a CVSS score of 8.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.

Which versions of github.com/projectcontour/contour are affected by CVE-2021-32783?

github.com/projectcontour/contour (go) versions < 1.14.2 is affected.

Is there a fix for CVE-2021-32783?

Yes. CVE-2021-32783 is fixed in 1.14.2, 1.15.2, 1.16.1, 1.17.1. Upgrade to this version or later.

Is CVE-2021-32783 exploitable, and should I be worried?

Whether CVE-2021-32783 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo

What actually determines whether CVE-2021-32783 is exploitable, and how bad it is?

Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.

How do I fix CVE-2021-32783?
  • Upgrade github.com/projectcontour/contour to 1.14.2 or later
  • Upgrade github.com/projectcontour/contour to 1.15.2 or later
  • Upgrade github.com/projectcontour/contour to 1.16.1 or later
  • Upgrade github.com/projectcontour/contour to 1.17.1 or later

Stop the waste.
Protect your environment with Kodem.