ISTIO-SECURITY-2024-007

{{< security_bulletin >}}

CVE

Envoy CVEs

• CVE-2024-53269: (CVSS Score 4.5, Moderate): Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
• CVE-2024-53270: (CVSS Score 7.5, High): HTTP/1: sending overload crashes when the request is reset beforehand.
• CVE-2024-53271: (CVSS Score 7.1, High): HTTP/1.1: multiple issues with envoy.reloadable_features.http1_balsa_delay_reset.

Am I Impacted?

You are impacted if you are using Istio 1.22.0 to 1.22.6, 1.23.0 to 1.23.3, or 1.24 to 1.24.1, please upgrade immediately. If you have created a custom EnvoyFilter to enable the Overload manager, avoid using the http1_server_abort_dispatch load shed point.