ISTIO-SECURITY-2024-007
CVEs reported by Envoy.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2024-53269 CVE-2024-53270 CVE-2024-53271 |
| CVSS Impact Score | 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Affected Releases | 1.22.0 to 1.22.6 1.23.0 to 1.23.3 1.24.0 to 1.24.1 |
CVE
Envoy CVEs
- CVE-2024-53269: (CVSS Score 4.5, Moderate): Happy Eyeballs: Validate that
additional_addressare IP addresses instead of crashing when sorting. - CVE-2024-53270: (CVSS Score 7.5, High): HTTP/1: sending overload crashes when the request is reset beforehand.
- CVE-2024-53271: (CVSS Score 7.1, High): HTTP/1.1: multiple issues with
envoy.reloadable_features.http1_balsa_delay_reset.
Am I Impacted?
You are impacted if you are using Istio 1.22.0 to 1.22.6, 1.23.0 to 1.23.3, or 1.24 to 1.24.1, please upgrade immediately. If you have created a custom EnvoyFilter to enable the Overload manager, avoid using the http1_server_abort_dispatch load shed point.