PT-2024-2768 · Envoy+1 · Envoy+1
Herman
+1
·
Published
2024-02-09
·
Updated
2024-04-23
·
CVE-2024-23322
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Envoy versions prior to 1.29.1
Envoy versions prior to 1.28.1
Envoy versions prior to 1.27.3
Envoy versions prior to 1.26.7
Description
The issue is related to a use-after-free error in the Envoy proxy server. Exploitation of this issue may allow a remote attacker to cause the application to crash. Envoy will crash when certain timeouts happen within the same interval, specifically when
hedge on per try timeout is enabled, per try idle timeout is enabled, and per-try-timeout is enabled with its value equal to or within the backoff interval of the per try idle timeout.Recommendations
For Envoy versions prior to 1.29.1, upgrade to version 1.29.1 or later.
For Envoy versions prior to 1.28.1, upgrade to version 1.28.1 or later.
For Envoy versions prior to 1.27.3, upgrade to version 1.27.3 or later.
For Envoy versions prior to 1.26.7, upgrade to version 1.26.7 or later.
Exploit
Fix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Envoy
Red Os