Vulnerability in Envoy Proxy Affects Multiple Versions of a Cloud-Native Proxy
CVE-2024-53270
What is CVE-2024-53270?
A vulnerability in the Envoy Proxy can lead to a system crash due to a null pointer dereference when certain configurations are applied. The issue arises with the sendOverloadError function which incorrectly assumes an active request exists under specific load shedding conditions. If the active request pointer is null, the function onMessageBeginImpl() is invoked, which may return a successful status despite the stream being reset. This issue can manifest during simultaneous H/2 upstream resets leading to instability in the service. Users are strongly advised to upgrade to the addressed versions: 1.32.3, 1.31.5, 1.30.9, and 1.29.12 to mitigate risks. For those unable to upgrade, it may be safer to disable the http1_server_abort_dispatch load shed point or set a high threshold.