CVE-2024-32475

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.27.5 Envoy versions prior to 1.28.3 Envoy versions prior to 1.29.4 Envoy versions prior to 1.30.1

Description The issue arises when an upstream TLS cluster is used with auto sni enabled and a request contains a host/:authority header longer than 255 characters, causing an abnormal termination of the Envoy process. This occurs because Envoy does not handle errors gracefully when setting SNI for outbound TLS connections, expecting the operation to always succeed. The SNI length is limited to 255 characters per standard.

Recommendations For versions prior to 1.27.5, update to version 1.27.5 or later. For versions prior to 1.28.3, update to version 1.28.3 or later. For versions prior to 1.29.4, update to version 1.29.4 or later. For versions prior to 1.30.1, update to version 1.30.1 or later. As a temporary workaround, consider restricting the length of the host/:authority header to 255 characters or less to prevent abnormal process termination.