ContextQMD
Back to Istio Io

ISTIO-SECURITY-2024-004

content/en/news/security/istio-security-2024-004/index.md

latest1.7 KB
Original Source

{{< security_bulletin >}}

CVE

Envoy CVEs

  • CVE-2024-23326: (CVSS Score 5.9, Moderate): Incorrect handling of responses to HTTP/1 upgrade requests that can lead to request smuggling.

  • CVE-2024-32974: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.

  • CVE-2024-32975: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.

  • CVE-2024-32976: (CVSS Score 7.5, High): Vulnerability in Brotli decompressor that can lead to infinite loop.

  • CVE-2024-34362: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.

  • CVE-2024-34363: (CVSS Score 7.5, High): Vulnerability in Envoy access log JSON formatter, that can lead to abnormal process termination.

  • CVE-2024-34364: (CVSS Score 5.7, Moderate): Unbounded memory consumption in ext_proc and ext_authz.

Am I Impacted?

If you are using JSON access log formatting in Istio 1.22, you are impacted, please upgrade as soon as possible. The request smuggling will also affect users of Websockets.