Описание
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
A vulnerability has been identified in the Envoy edge and service proxy, where use-after-free flaw exists within the Lua filter. An attacker can exploit this flaw by using a malicious Lua script to significantly increase the size of a response body, exceeding the connection's buffer limit. This action causes Envoy to incorrectly manage memory, leading to dangling references and a subsequent crash of the proxy. The immediate consequence is a denial of service condition, which makes the affected service completely unresponsive to all users and traffic.
Отчет
The Red Hat Product Security team as having the severity of Moderate. This happens because for an attacker to be successful the attacker needs to have enough privileges to add a malicious Lua filter file to Envoy to trigger the vulnerability. When a successful attack is performed this will result in the Envoy process to crash, leading to a Denial of Service affecting the availability of that Envoy instance.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/grafana-rhel8 | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-must-gather-rhel9 | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-operator-bundle | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-rhel8-operator | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel9 | Out of support scope | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/ratelimit-rhel8 | Out of support scope | ||
| OpenShift Service Mesh 3 | openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 | Out of support scope | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-cni-rhel9 | Out of support scope |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
Envoy is an open source edge and service proxy. Envoy versions earlier than 1.36.2, 1.35.6, 1.34.10, and 1.33.12 contain a use-after-free vulnerability in the Lua filter. When a Lua script executing in the response phase rewrites a response body so that its size exceeds the configured per_connection_buffer_limit_bytes (default 1MB), Envoy generates a local reply whose headers override the original response headers, leaving dangling references and causing a crash. This results in denial of service. Updating to versions 1.36.2, 1.35.6, 1.34.10, or 1.33.12 fixes the issue. Increasing per_connection_buffer_limit_bytes (and for HTTP/2 the initial_stream_window_size) or increasing per_request_buffer_limit_bytes / request_body_buffer_limit can reduce the likelihood of triggering the condition but does not correct the underlying memory safety flaw.
Envoy is an open source edge and service proxy. Envoy versions earlier ...
6.5 Medium
CVSS3