CVE-2023-27488: Input Validation
First published: Mon Mar 27 2023(Updated: )
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when `failure_mode_allow: true` is configured for `ext_authz` filter. For affected components that are used for logging and/or visibility, requests may not be logged by the receiving service. When Envoy was configured to use ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service and an http header with non-UTF-8 data was received, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For ext_authz that was configured with ``failure_mode_allow: true``, the request would have been allowed in this case. For the other services, this could have resulted in other unforeseen errors such as a lack of visibility into requests. As of versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy by default sanitizes the values sent in gRPC service calls to be valid UTF-8, replacing data that is not valid UTF-8 with a `!` character. This behavioral change can be temporarily reverted by setting runtime guard `envoy.reloadable_features.service_sanitize_non_utf8_strings` to false. As a workaround, one may set `failure_mode_allow: false` for `ext_authz`.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Envoyproxy Envoy | <1.22.9 | |
| Envoyproxy Envoy | >=1.23.0<1.23.6 | |
| Envoyproxy Envoy | >=1.24.0<1.24.4 | |
| Envoyproxy Envoy | >=1.25.0<1.25.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph
- https://access.redhat.com/errata/RHSA-2023:4623
- https://access.redhat.com/security/cve/cve-2023-27488
- https://bugzilla.redhat.com/show_bug.cgi?id=2182156
- https://www.cve.org/CVERecord?id=CVE-2023-27488 https://nvd.nist.gov/vuln/detail/CVE-2023-27488 https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph
Frequently Asked Questions
What is CVE-2023-27488?
CVE-2023-27488 is a vulnerability in Envoy that allows an attacker to bypass authentication checks when ext_authz filter is configured with failure_mode_allow set to true.
What is the severity of CVE-2023-27488?
CVE-2023-27488 has a severity rating of 9.8 (critical).
Which versions of Envoy are affected by CVE-2023-27488?
Versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 of Envoy are affected by CVE-2023-27488.
How can an attacker exploit CVE-2023-27488?
By configuring the ext_authz filter with failure_mode_allow set to true, an attacker can escalate privileges and bypass authentication checks in Envoy.
Is there a fix available for CVE-2023-27488?
Yes, upgrading Envoy to a version equal to or greater than 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9 will fix CVE-2023-27488.
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-27488
- collector/nvd-index
- collector/redhat-cve
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- vendor/envoyproxy
- canonical/envoyproxy envoy
- version/envoyproxy envoy/1.23.0
- version/envoyproxy envoy/1.24.0
- version/envoyproxy envoy/1.25.0