envoyproxy envoy up to 1.27.6/1.28.4/1.29.6/1.30.3 Route Hash Policy use after free

Summaryinfo

A vulnerability classified as critical has been found in envoyproxy envoy up to 1.27.6/1.28.4/1.29.6/1.30.3. Impacted is an unknown function of the component Route Hash Policy. The manipulation leads to use after free. This vulnerability is listed as CVE-2024-39305. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in envoyproxy envoy up to 1.27.6/1.28.4/1.29.6/1.30.3. It has been rated as critical. This issue affects some unknown processing of the component Route Hash Policy. The manipulation with an unknown input leads to a use after free vulnerability. Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured. Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy's memory to be sent to the upstream service or abnormal process termination. This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5, and v1.27.7. As a workaround, do not use cookie attributes in route action hash policy.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2024-39305 since 06/21/2024. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 1.27.7, 1.28.5, 1.29.7 or 1.30.4 eliminates this vulnerability. Applying the patch 02a06681fbe0e039b1c7a9215257a7537eddb518 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• envoyproxy

Name

• envoy

Version

• 1.27.0
• 1.27.1
• 1.27.2
• 1.27.3
• 1.27.4
• 1.27.5
• 1.27.6
• 1.28.0
• 1.28.1
• 1.28.2
• 1.28.3
• 1.28.4
• 1.29.0
• 1.29.1
• 1.29.2
• 1.29.3
• 1.29.4
• 1.29.5
• 1.29.6
• 1.30.0
• 1.30.1
• 1.30.2
• 1.30.3

License

• free

Website

• Product: https://github.com/envoyproxy/envoy/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion