Security release of Envoy (v1.22.10, v1.23.7, v1.24.5, v1.25.4) are now available

[ry...@synca.io]

Hello Envoy community,

The Envoy security team would like to announce the availability of Envoy
versions:

- v1.22.10
- v1.23.7
- v1.24.5
- v1.25.4

More information about the releases can be found at
https://github.com/envoyproxy/envoy/releases

This set of releases address the following CVEs:

----

* CVE-2023-27496: Crash when a redirect url without a state param is
received in the oauth filter
Severity: 6.5 (Moderate)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5

If Envoy is running with the OAuth filter enabled exposed, a malicious
actor could construct a request which would cause denial of service by
crashing Envoy.

----

* CVE-2023-27488: gRPC client produces invalid protobuf when an HTTP
header with non-UTF8 value is received
Severity: 5.4 (Moderate)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph

The attacker can use this vulnerability to bypass auth checks when
ext_authz is used.

----

* CVE-2023-27493: Envoy doesn't escape HTTP header values
Severity: 8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q

A specifically constructed HTTP request or mTLS connection with a
specifically crafted client certificate.

Envoy configuration must also include an option to add request headers
that were generated using inputs from the request, i.e. the peer
certificate SAN.

----

* CVE-2023-27492: Crash when a large request body is processed in Lua
filter
Severity: 4.8 (Moderate)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
Advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2

Attackers can send large request bodies for routes that have Lua filter
enabled and trigger crashes.

----

* CVE-2023-27491 : Envoy forwards invalid HTTP/2 and HTTP/3 downstream
headers
Severity: 5.4 (Moderate)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp

Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to
trigger parsing errors on HTTP/1 upstream service.

----

* CVE-2023-27487: Client may fake the header `x-envoy-original-path`
Severity: 8.2 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Advisory:
https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g

The header x-envoy-original-path should be an internal header, but Envoy
does not remove this header from the request at the beginning of request
processing when it is sent from an untrusted client.

The faked header would then be used for trace logs and grpc logs, as
well as used in the URL used for jwt_authn checks if the jwt_authn
filter is used, and any other upstream use of the x-envoy-original-path
header.

----

We would like to thank the reporters, and contributors that have made
these releases possible.

Thanks,

Ryan Northey (@phlax)

On behalf of the Envoy security team and maintainers.