Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e | Patch Vendor Advisory |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38 | Vendor Advisory |
https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e | Patch Vendor Advisory |
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:57
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e - Patch, Vendor Advisory | |
References | () https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38 - Vendor Advisory |
15 Feb 2024, 04:48
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | |
Summary |
|
|
First Time |
Envoyproxy
Envoyproxy envoy |
|
References | () https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e - Patch, Vendor Advisory | |
References | () https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38 - Vendor Advisory |
09 Feb 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-09 23:15
Updated : 2024-11-21 08:57
NVD link : CVE-2024-23322
Mitre link : CVE-2024-23322
CVE.ORG link : CVE-2024-23322
JSON object : View
Products Affected
envoyproxy
- envoy
CWE
CWE-416
Use After Free