Upcoming release to fix CVE-2024-39305

[Yan Avlasov]

Hello Envoy Community,

We are announcing an upcoming release to address an Envoy vulnerability in HTTP route configuration. This vulnerability was assigned CVE-2024-39305 id. Envoy's versions v1.30.3, v1.29.6, v1.28.4, v1.27.6 and earlier are affected. New releases are in progress and will be announced as soon as they are published.

The vulnerability affects route configuration that uses hash policy that sets cookie attributes. For more information see https://github.com/envoyproxy/envoy/security/advisories/GHSA-fp35-g349-h66f

During our evaluation we found that the cookie attribute configuration was trivially broken and could not function when enabled in production, and thus can be fixed in the open, bypassing the security process.

Thanks,

Yan Avlasov (on behalf of the Envoy security team)