CVE-2023-35942

Envoy's gRPC access log crash caused by the listener draining

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, gRPC access loggers using listener's global scope can cause a `use-after-free` crash when the listener is drained. Versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 have a fix for this issue. As a workaround, disable gRPC access log or stop listener update.

A flaw was found in Envoy, where gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained. This issue can be triggered by a listener discovery service (LDS) update with the same gRPC access log configuration.

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-06-20 CVE Reserved
2023-07-25 CVE Published
2024-10-24 CVE Updated
2024-10-24 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4	2024-10-24

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-35942	2023-09-14
https://bugzilla.redhat.com/show_bug.cgi?id=2217978	2023-09-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.23.0 < 1.23.12 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.23.0 < 1.23.12"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.24.0 < 1.24.10 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.24.0 < 1.24.10"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.25.0 < 1.25.9 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.25.0 < 1.25.9"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.26.0 < 1.26.4 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.26.0 < 1.26.4"		-		Affected