CVE-2023-27488: 
NixOS vulnerability analysis and mitigation

Envoy, an open source edge and service proxy designed for cloud-native applications, was found to have a vulnerability (CVE-2023-27488) affecting versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. The vulnerability occurs when Envoy is configured to use extauthz, extproc, tap, ratelimit filters, and grpc access log service, where an HTTP header with non-UTF-8 data could lead to privilege escalation and logging visibility issues (GitHub Advisory, NVD).

When receiving an HTTP header with non-UTF-8 data, Envoy would generate an invalid protobuf message and send it to the configured service. The receiving service would typically generate an error when decoding the protobuf message. For extauthz configured with `failuremode_allow: true`, the request would be allowed, potentially bypassing authentication checks. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) by NVD and 5.4 (Medium) by GitHub, indicating its significant security impact (NVD, GitHub Advisory).

The vulnerability can lead to two primary impacts: First, escalation of privileges when failure_mode_allow: true is configured for the ext_authz filter, potentially allowing authentication bypass. Second, for affected components used for logging and visibility, requests may not be properly logged by the receiving service, resulting in reduced visibility and potential security monitoring gaps (GitHub Advisory).

Several mitigation options are available: 1) Upgrade to the patched versions (1.26.0, 1.25.3, 1.24.4, 1.23.6, or 1.22.9), where Envoy now sanitizes values sent in gRPC service calls to be valid UTF-8, replacing invalid data with a '!' character. 2) Set failure_mode_allow: false for extauthz as a temporary workaround. 3) The new behavior can be temporarily reverted by setting runtime guard `envoy.reloadablefeatures.servicesanitizenonutf8strings` to false (GitHub Advisory).