Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-45807

Опубликовано: 20 сент. 2024
Источник: redhat
CVSS3: 7.5

Описание

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using oghttp as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the oghttp2 by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

A flaw was found in Envoy. Affected version of Envoy are using oghttp as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this issue, Envoy will switch off the oghttp2 by default. This issue may cause envoy to crash.

Отчет

The issue in Envoy, where the use of the oghttp2 codec leads to potential crashes due to stream management bugs, is classified as a moderate severity vulnerability rather than an important because the crash occurs only under specific conditions related to HTTP/2 stream management, which may not be triggered in typical use cases, thereby limiting its immediate impact on most deployments.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2openshift-service-mesh/istio-cni-rhel8Affected
OpenShift Service Mesh 2openshift-service-mesh/pilot-rhel8Affected
OpenShift Service Mesh 2openshift-service-mesh/proxyv2-rhel8Affected
OpenShift Service Mesh 2openshift-service-mesh/proxyv2-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-670
https://bugzilla.redhat.com/show_bug.cgi?id=2313684envoy: Oghttp2 crash on `OnBeginHeadersForStream`

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-45807

CVSS3: 7.5
nvd
больше 1 года назад

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. All users are advised to upgrade. There are no known workarounds for this issue.

debian логотип

CVE-2024-45807

CVSS3: 7.5
debian
больше 1 года назад

Envoy is a cloud-native high-performance edge/middle/service proxy. En ...

7.5 High

CVSS3