CVE-2024-45810: Envoy crashes for LocalReply in http async client
First published: Thu Sep 19 2024(Updated: )
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy will crash when the http async client is handling `sendLocalReply` under some circumstance, e.g., websocket upgrade, and requests mirroring. The http async client will crash during the `sendLocalReply()` in http async client, one reason is http async client is duplicating the status code, another one is the destroy of router is called at the destructor of the async stream, while the stream is deferred deleted at first. There will be problems that the stream decoder is destroyed but its reference is called in `router.onDestroy()`, causing segment fault. This will impact ext_authz if the `upgrade` and `connection` header are allowed, and request mirrorring. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Envoy Proxy | <1.28.7 | |
| Envoy Proxy | >=1.29.0<1.29.9 | |
| Envoy Proxy | >=1.30.0<1.30.6 | |
| Envoy Proxy | >=1.31.0<1.31.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-45810?
CVE-2024-45810 has a critical severity as it can lead to crashes in the Envoy proxy under certain conditions.
How do I fix CVE-2024-45810?
To fix CVE-2024-45810, upgrade Envoy Proxy to version 1.28.7 or later, or to a version that is not affected in the specified ranges.
What versions of Envoy are affected by CVE-2024-45810?
CVE-2024-45810 affects Envoy versions prior to 1.28.7, between 1.29.0 and 1.29.9, between 1.30.0 and 1.30.6, and between 1.31.0 and 1.31.2.
What symptoms indicate CVE-2024-45810 is being exploited?
Symptoms of CVE-2024-45810 may include unexpected crashes of the Envoy proxy service during websocket upgrades and request mirroring processes.
Is CVE-2024-45810 a remote vulnerability?
Yes, CVE-2024-45810 is considered a remote vulnerability as it can potentially be exploited by remote attackers through crafted requests.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-45810
- agent/severity
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/envoyproxy
- canonical/envoy proxy
- version/envoy proxy/1.29.0
- version/envoy proxy/1.30.0
- version/envoy proxy/1.31.0