CVE-2024-45806 – Potential manipulate `x-envoy` headers from external sources in envoy
https://notcve.org/view.php?id=CVE-2024-45806
Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were automatically considered internal, even if the internal_address_config was empty. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf https://access.redhat.com/security/cve/CVE-2024-45806 https://bugzilla.redhat.com/show_bug.cgi?id=2313683 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2024-45807 – oghttp2 crash on OnBeginHeadersForStream in envoy
https://notcve.org/view.php?id=CVE-2024-45807
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's 1.31 is using `oghttp` as the default HTTP/2 codec, and there are potential bugs around stream management in the codec. To resolve this Envoy will switch off the `oghttp2` by default. The impact of this issue is that envoy will crash. This issue has been addressed in release version 1.31.2. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37 • CWE-670: Always-Incorrect Control Flow Implementation •
CVE-2024-45808 – Malicious log injection via access logs in envoy
https://notcve.org/view.php?id=CVE-2024-45808
Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc https://access.redhat.com/security/cve/CVE-2024-45808 https://bugzilla.redhat.com/show_bug.cgi?id=2313685 • CWE-117: Improper Output Neutralization for Logs •
CVE-2024-45809 – Jwt filter crash in the clear route cache with remote JWKs in envoy
https://notcve.org/view.php?id=CVE-2024-45809
Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2024-45810 – Envoy crashes for LocalReply in http async client
https://notcve.org/view.php?id=CVE-2024-45810
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling `sendLocalReply` under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the `sendLocalReply()` in http async client, one reason is http async client is duplicating the status code, another one is the destroy of router is called at the destructor of the async stream, while the stream is deferred deleted at first. There will be problems that the stream decoder is destroyed but its reference is called in `router.onDestroy()`, causing segment fault. This will impact ext_authz if the `upgrade` and `connection` header are allowed, and request mirrorring. • https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q https://access.redhat.com/security/cve/CVE-2024-45810 https://bugzilla.redhat.com/show_bug.cgi?id=2313687 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •