ISTIO-SECURITY-2024-004
CVEs reported by Envoy.
Disclosure Details | |
---|---|
CVE(s) | CVE-2024-32976 CVE-2024-32975 CVE-2024-32974 CVE-2024-34363 CVE-2024-34362 CVE-2024-23326 CVE-2024-34364 |
CVSS Impact Score | 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Affected Releases | All releases prior to 1.20.0 1.20.0 to 1.20.6 1.21.0 to 1.21.2 1.22.0 |
CVE
Envoy CVEs
CVE-2024-23326: (CVSS Score 5.9, Moderate): Incorrect handling of responses to HTTP/1 upgrade requests that can lead to request smuggling.
CVE-2024-32974: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
CVE-2024-32975: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
CVE-2024-32976: (CVSS Score 7.5, High): Vulnerability in
Brotli
decompressor that can lead to infinite loop.CVE-2024-34362: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
CVE-2024-34363: (CVSS Score 7.5, High): Vulnerability in Envoy access log JSON formatter, that can lead to abnormal process termination.
CVE-2024-34364: (CVSS Score 5.7, Moderate): Unbounded memory consumption in
ext_proc
andext_authz
.
Am I Impacted?
If you are using JSON access log formatting in Istio 1.22, you are impacted, please upgrade as soon as possible. The request smuggling will also affect users of Websockets.