ContextQMD
Back to Istio Io

ISTIO-SECURITY-2024-001

content/en/news/security/istio-security-2024-001/index.md

latest1.7 KB
Original Source

{{< security_bulletin >}}

CVE

Envoy CVEs

Note: At the time of publishing, the below security advisories have not yet been published, but should be published shortly.

  • CVE-2024-23322: (CVSS Score 7.5, High): Envoy crashes when idle and request per try timeout occur within the backoff interval.
  • CVE-2024-23323: (CVSS Score 4.3, Moderate): Excessive CPU usage when URI template matcher is configured using regex.
  • CVE-2024-23324: (CVSS Score 8.6, High): Ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata.
  • CVE-2024-23325: (CVSS Score 7.5, High): Envoy crashes when using an address type that isn't supported by the OS.
  • CVE-2024-23327: (CVSS Score 7.5, High): Crash in proxy protocol when command type of LOCAL.

Am I Impacted?

The majority of exploitable behavior is related to the use of PROXY Protocol, primarily used in gateway scenarios. If you or your users have PROXY Protocol enabled, either via EnvoyFilter or proxy config annotations, there is potential exposure.

Aside from the use of PROXY protocol, the usage of the %DOWNSTREAM_PEER_IP_SAN% command operator for access logs has potential exposure.