Upgrade Your Envoy Proxy Now to Patch Critical Crash Bug

CVECVE-2024-23322
CVSScvssV3_1: 7.5
SourceCVE-2024-23322

Envoy is a popular open source edge proxy and service mesh controller. However, researchers recently discovered a vulnerability that can cause Envoy to crash under certain conditions.

The bug occurs when multiple timeout configurations are enabled simultaneously in Envoy. If a per-try idle timeout and per-try timeout are set to similar values, and a hedge timeout is also enabled, it can lead Envoy to crash.

A malicious actor could potentially trigger this crash by sending carefully crafted requests to Envoy. This would cause the proxy to become unavailable, disrupting traffic and services that rely on it.

Luckily, the Envoy developers were quick to address this issue. Versions 1.29.1, 1.28.1, 1.27.3 and 1.26.7 of Envoy all contain fixes for the vulnerability.

If you use Envoy as your edge proxy or service mesh, you should immediately upgrade to one of these patched versions. Doing so will prevent your instance from potentially crashing due to this timeout bug.

Taking a few minutes to update Envoy now can help protect your services from any outages this vulnerability could enable. Don’t leave yourself exposed – upgrade your Envoy proxy without delay.

References