Описание
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions sendOverloadError is going to assume the active request exists when envoy.load_shed_points.http1_server_abort_dispatch is configured. If active_request is nullptr, only onMessageBeginImpl() is called. However, the onMessageBeginImpl will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable http1_server_abort_dispatch load shed point and/or use a high threshold.
A flaw was found in Envoy. In systems where http1_server_abort_dispatch is configured, Envoy does not properly handle the control flow during H1 stream resets. This can trigger a null pointer error and lead to an application crash.
Отчет
This vulnerability in Envoy Proxy is marked as important severity rather than moderate due to its ability to cause a null pointer dereference, leading to a complete crash of the proxy under specific conditions. As Envoy is commonly deployed in mission-critical roles such as a high-performance edge, middle, or service proxy, a crash can disrupt downstream and upstream communication, effectively bringing down services dependent on Envoy. The issue is exacerbated by its potential to occur during load shedding, a mechanism typically invoked during resource exhaustion, which is a critical time for maintaining service availability.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel8 | Affected | ||
| Red Hat OpenShift Service Mesh 2.6 for RHEL 9 | openshift-service-mesh/proxyv2-rhel9 | Fixed | RHSA-2025:1053 | 05.02.2025 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold.
Envoy is a cloud-native high-performance edge/middle/service proxy. In ...
Уязвимость конфигурации envoy.load_shed_points.http1_server_abort_dispatch прокси-сервера Envoy, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3