Envoy Proxy Origin Validation Error Vulnerability - CVE-2020-15104

In Envoy before versions 1.12.6 1.13.4 1.14.4 and 1.15.0 when validating TLS certificates Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example with a SAN of .example.com Envoy would incorrectly allow nested.subdomain.example.com when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example if you intend to trust api.mysubdomain.example.com and an untrusted actor can obtain a signed TLS certificate for .example.com or .com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version or if they use match_subject_alt_names in version 1.14 or later. This issue has been fixed in Envoy versions 1.12.6 1.13.4 1.14.4 1.15.0.