PT-2024-2770 · Envoy+1 · Envoy+1
Phlax
·
Published
2024-02-09
·
Updated
2024-04-23
·
CVE-2024-23327
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Envoy versions prior to 1.26.7
Envoy versions prior to 1.27.3
Envoy versions prior to 1.28.1
Envoy versions prior to 1.29.1
Description
The issue is related to pointer dereference errors in the Envoy proxy server. Exploitation of this issue may allow a remote attacker to cause a denial of service. The problem occurs when PPv2 is enabled on both a listener and a subsequent cluster, and the Envoy instance attempts to craft the upstream PPv2 header for a downstream request with a command type of LOCAL and without the protocol block.
Recommendations
For versions prior to 1.26.7, upgrade to version 1.26.7 or later.
For versions prior to 1.27.3, upgrade to version 1.27.3 or later.
For versions prior to 1.28.1, upgrade to version 1.28.1 or later.
For versions prior to 1.29.1, upgrade to version 1.29.1 or later.
Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Envoy
Red Os