It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-647 advisory.

    2024-07-17: CVE-2024-30255 was added to this advisory.

    Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability     exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC     https://www.rfc-editor.org/rfc/rfc7230#section-6.7 a server sends 101 when switching protocols. Envoy     incorrectly accepts a 200 response from a server when requesting a protocol upgrade, but 200 does not     indicate protocol switch. This opens up the possibility of request smuggling through Envoy if the server     can be tricked into adding the upgrade header to the response. (CVE-2024-23326)

    Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions     prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION     frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even     after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION     frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per     300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to     version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a     workaround, disable HTTP/2 protocol for downstream connections. (CVE-2024-30255)

    Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with     `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers     an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for     outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header     value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255     characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the     process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5. (CVE-2024-32475)

    Envoy is a cloud-native, open source edge and service proxy. A crash was observed in     `EnvoyQuicServerStream::OnInitialHeadersComplete()` with following call stack. It is a use-after-free     caused by QUICHE continuing push request headers after `StopReading()` being called on the stream. As     after `StopReading()`, the HCM's `ActiveStream` might have already be destroyed and any up calls from     QUICHE could potentially cause use after free. (CVE-2024-32974)

    Envoy is a cloud-native, open source edge and service proxy. There is a crash at     `QuicheDataReader::PeekVarInt62Length()`. It is caused by integer underflow in the     `QuicStreamSequencerBuffer::PeekRegion()` implementation. (CVE-2024-32975)

    Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into     an endless loop during decompression of Brotli data with extra input. (CVE-2024-32976)

    Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in     `HttpConnectionManager` (HCM) with `EnvoyQuicServerStream` that can crash Envoy. An attacker can exploit     this vulnerability by sending a request without `FIN`, then a `RESET_STREAM` frame, and then after     receiving the response, closing the connection. (CVE-2024-34362)

    Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON     library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings     were serialized. The uncaught exception would cause Envoy to crash. (CVE-2024-34363)

    Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory (OOM) vector     from the mirror response, since async HTTP client will buffer the response with an unbounded buffer.
    (CVE-2024-34364)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2024-647)

high Nessus Plugin ID 200911

Version 1.4

Version 1.2

Version 1.1

Version 1.4 Jul 19, 2024, 12:17 PM CVE (set "CVE" coverage to "CVE-2024-23326,CVE-2024-30255,CVE-2024-32475,CVE-2024-32974,CVE-2024-32975,CVE-2024-32976,CVE-2024-34362,CVE-2024-34363,CVE-2024-34364") Exploit attributes ("Exploitability ease" changed from "Exploits are available" to "No known exploits are available". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin metadata Plugin Feed: 202407191217
Version 1.2 Jun 25, 2024, 9:36 AM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202406250936
Version 1.1 Jun 25, 2024, 3:40 AM New Plugin Feed: 202406250340