CVE-2023-35942

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.27.0 Envoy versions prior to 1.26.4 Envoy versions prior to 1.25.9 Envoy versions prior to 1.24.10 Envoy versions prior to 1.23.12

Description The issue is related to a use-after-free crash in Envoy when gRPC access loggers using the listener's global scope are utilized and the listener is drained. This can be exploited by a remote attacker to launch a denial-of-service (DoS) attack.

Recommendations For versions prior to 1.27.0, update to version 1.27.0 or later. For versions prior to 1.26.4, update to version 1.26.4 or later. For versions prior to 1.25.9, update to version 1.25.9 or later. For versions prior to 1.24.10, update to version 1.24.10 or later. For versions prior to 1.23.12, update to version 1.23.12 or later. As a temporary workaround, consider disabling the gRPC access log or stopping listener updates until a patch is applied.