CVE-2023-27488 : Security Advisory and Response

This CVE record pertains to a vulnerability in the Envoy gRPC client, leading to the production of invalid protobuf when receiving an HTTP header with a non-UTF8 value.

Understanding CVE-2023-27488

This vulnerability affects versions of Envoy proxy prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. It allows for privilege escalation when the

failure_mode_allow: true

configuration is set for the

ext_authz

filter, potentially impacting logging and visibility components.

What is CVE-2023-27488?

The vulnerability in Envoy gRPC client results in the generation of invalid protobuf messages when an HTTP header containing non-UTF-8 data is received. This could lead to errors during message decoding by the receiving service, affecting the proper functioning of ext_authz, ext_proc, tap, ratelimit filters, and grpc access log service.

The Impact of CVE-2023-27488

The impact of this vulnerability includes the potential for privilege escalation and the failure to log requests by the receiving service when certain configurations are in place, impacting the overall visibility and integrity of the system.

Technical Details of CVE-2023-27488

This section delves into the specifics of the vulnerability, including the description, affected systems and versions, and the exploitation mechanism.

Vulnerability Description

The vulnerability allows for the creation of invalid protobuf messages in Envoy when non-UTF-8 data is present in HTTP headers, potentially leading to errors in message decoding by the receiving service.

Affected Systems and Versions

Envoy versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 are affected by this vulnerability, specifically impacting configurations involving

failure_mode_allow: true

for the

ext_authz

filter.

Exploitation Mechanism

The exploitation of this vulnerability occurs when Envoy processes HTTP headers with non-UTF-8 values, triggering the generation of invalid protobuf messages and potential errors during message decoding by the receiving service.

Mitigation and Prevention

To address CVE-2023-27488, immediate steps can be taken to mitigate the risk and prevent exploitation of the vulnerability.

Immediate Steps to Take

Ensure that Envoy is updated to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9 to mitigate the vulnerability.
Adjust configurations related to

failure_mode_allow

for the

ext_authz

filter to minimize privilege escalation risks.
Consider implementing workarounds such as setting

failure_mode_allow: false

for

ext_authz

to enhance security.

Long-Term Security Practices

Regularly update Envoy to the latest versions to address known vulnerabilities and enhance security.
Stay informed about security advisories and best practices for securing Envoy deployments to prevent future exploits.

Patching and Updates

Envoy has released patches in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 to address this vulnerability. It is crucial to apply these updates promptly to secure the Envoy deployments against CVE-2023-27488.