Bug 2333091 (CVE-2024-53270) - CVE-2024-53270 envoy: HTTP/1: sending overload crashes when the request is reset beforehand in envoy
Summary: CVE-2024-53270 envoy: HTTP/1: sending overload crashes when the request is re...
Keywords:
Status: NEW
Alias: CVE-2024-53270
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-12-18 20:02 UTC by OSIDB Bzimport
Modified: 2025-02-05 09:04 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:1053 0 None None None 2025-02-05 09:04:21 UTC

Description OSIDB Bzimport 2024-12-18 20:02:00 UTC 
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold.
Comment 2 errata-xmlrpc 2025-02-05 09:04:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2025:1053 https://access.redhat.com/errata/RHSA-2025:1053
Note You need to log in before you can comment on or make changes to this bug.