Skip to content

Use after free when route hash policy is configured with cookie attributes

Moderate
yanavlasov published GHSA-fp35-g349-h66f Jun 28, 2024

Package

No package listed

Affected versions

v1.30.3, v1.29.6, v1.28.4, v1.27.6

Patched versions

v1.30.4, v1.29.7, v1.28.5 or v1.27.7

Description

Summary

Envoy references already freed memory when route hash policy is configured with cookie attributes.
Note that this vulnerability has been fixed in the open as the effect would be immediately apparent if it was configured.

Affected Components

Envoy request routing table.

Details

Memory allocated for holding attribute values is freed after configuration was parsed. During request processing Envoy will attempt to copy content of de-allocated memory into request cookie header. This can lead to arbitrary content of Envoy's memory to be sent to the upstream service or abnormal process termination.

Impact

Information disclosure or denial of service due to abnormal process termination.

Attack vector(s)

A request from an untrusted peer.

Patches

This vulnerability is fixed in Envoy versions v1.30.4, v1.29.7, v1.28.5 or v1.27.7

Workarounds

Do not use cookie attributes in route action hash policy.

Detection

Unexpected characters in the cookie header at the upstream service or abnormal process termination with route hash policy methods in the stack trace.

Credits

mregxn@gmail.com

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVE ID

CVE-2024-39305

Weaknesses

Credits