ISTIO-SECURITY-2024-006

CVE

Envoy CVEs

• CVE-2024-45807: (CVSS Score 7.5, High): oghttp2 may crash on OnBeginHeadersForStream.

• CVE-2024-45808: (CVSS Score 6.5, Moderate): Lack of validation for REQUESTED_SERVER_NAME field for access loggers enables injection of unexpected content into access logs.

• CVE-2024-45806: (CVSS Score 6.5, Moderate): Potential for x-envoy headers to be manipulated by external sources.

• CVE-2024-45809: (CVSS Score 5.3, Moderate): JWT filter crash in the clear route cache with remote JWKs.

• CVE-2024-45810: (CVSS Score 6.5, Moderate): Envoy crashes for LocalReply in HTTP async client.

Am I Impacted?

You are impacted if you are using Istio 1.22.0 to 1.22.4 or 1.23.0 to 1.23.1.

If you deploy an Istio Ingress Gateway, you are potentially vulnerable to x-envoy header manipulation by external sources. Envoy previously considered all private IP to be internal by default and as a result, did not sanitize headers from external sources with private IPs. Envoy added support for the flag envoy.reloadable_features.explicit_internal_address_config to explicitly un-trust all IPs. Envoy and Istio currently disable the flag by default for backwards compatibility. In future Envoy and Istio release the flag envoy.reloadable_features.explicit_internal_address_config will be enabled by default. The Envoy flag can be set mesh-wide or per-proxy via the ProxyConfig in runtimeValues.

Mesh-wide example configuration:

meshConfig:
  defaultConfig:
    runtimeValues:
      "envoy.reloadable_features.explicit_internal_address_config": "true"

Per-proxy example configuration:

annotations:
  proxy.istio.io/config: |
    runtimeValues:
      "envoy.reloadable_features.explicit_internal_address_config": "true"

Note fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.