Envoy Proxy Crashes due to HTTP Async Client Issues
CVE-2024-45810

7.5HIGH

Key Information:

Vendor: Envoy
Status: Envoy
Vendor: CVE Published:; 20 September 2024

What is CVE-2024-45810?

A vulnerability has been identified in the Envoy cloud-native high-performance edge/middle/service proxy, leading to potential system crashes under specific conditions, such as websocket upgrades and request mirroring scenarios. This flaw stems from the improper handling of the sendLocalReply() method within the HTTP asynchronous client. Issues arise when the status code is duplicated, coupled with inappropriate destruction of the router during the async stream's lifecycle, which results in a segmentation fault. This confrontation compromises the functioning of ext_authz when upgrade and connection headers are utilized. Users are strongly advised to upgrade to fixed versions: 1.31.2, 1.30.6, 1.29.9, or 1.28.7 as no workarounds are available.

References

https://github.com/envoyproxy/envoy/security/advisories/G...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 20, 2024

JSON