CVE-2024-40632

Name of the Vulnerable Software and Affected Versions Linkerd versions prior to edge-24.6.2

Description The issue is related to insufficient server-side request validation in Linkerd, which can be exploited to trigger a denial-of-service (DoS) attack. An attacker could potentially make requests to localhost:4191/shutdown, causing the service to shut down. This can be achieved when the application being run by Linkerd is susceptible to Server-Side Request Forgery (SSRF). To mitigate this, Linkerd could introduce an optional environment variable to control a token that must be passed as a header, and reject shutdown requests that do not include this header.

Recommendations For versions prior to edge-24.6.2, upgrade to release version edge-24.6.2 to address the issue. As a temporary workaround, consider restricting access to the localhost:4191/shutdown endpoint until the upgrade is applied. Additionally, introducing an optional environment variable to control a token that must be passed as a header, and configuring Linkerd to reject shutdown requests that do not include this header, can help mitigate the risk of exploitation.