CVE-2024-23325

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.26.7 Envoy versions prior to 1.27.3 Envoy versions prior to 1.28.1 Envoy versions prior to 1.29.1

Description The issue is related to Envoy crashing in Proxy protocol when using an address type that isn’t supported by the OS. Specifically, Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. This is a valid scenario, as a client can present its IPv6 address to a target server even though the whole chain is connected via IPv4. The problem arises from an uncaught exception.

Recommendations For versions prior to 1.26.7, upgrade to version 1.26.7 or later. For versions prior to 1.27.3, upgrade to version 1.27.3 or later. For versions prior to 1.28.1, upgrade to version 1.28.1 or later. For versions prior to 1.29.1, upgrade to version 1.29.1 or later. As a temporary workaround, consider disabling the proxy protocol on hosts with IPv6 disabled until a patch is available.