Upcoming release to fix CVE-2024-39305

10 views
Skip to first unread message

Yan Avlasov

unread,
Jun 28, 2024, 7:56:20 PMJun 28
to envoy-security, envoy-a...@googlegroups.com, Envoy-maintainers, Envoy Users, envoy-dev, envoy-secur...@googlegroups.com
Hello Envoy Community,

We are announcing an upcoming release to address an Envoy vulnerability in HTTP route configuration. This vulnerability was assigned CVE-2024-39305 id. Envoy's versions v1.30.3, v1.29.6, v1.28.4, v1.27.6 and earlier are affected. New releases are in progress and will be announced as soon as they are published.

The vulnerability affects route configuration that uses hash policy that sets cookie attributes. For more information see https://github.com/envoyproxy/envoy/security/advisories/GHSA-fp35-g349-h66f

During our evaluation we found that the cookie attribute configuration was trivially broken and could not function when enabled in production, and thus can be fixed in the open, bypassing the security process.

Thanks,
Yan Avlasov (on behalf of the Envoy security team)

Reply all
Reply to author
Forward
0 new messages