CVE-2023-27492: 
NixOS vulnerability analysis and mitigation

Envoy, an open source edge and service proxy designed for cloud-native applications, was found to contain a vulnerability in its Lua filter component. The vulnerability (CVE-2023-27492) was disclosed on April 4, 2023, affecting versions prior to 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9. The issue allows attackers to trigger crashes by sending large request bodies to routes with the Lua filter enabled (GitHub Advisory).

The vulnerability stems from a design flaw where the Lua filter can resume processing of the coroutine after sending a local reply due to request/response body being too large. When a request with a large body exceeding the buffer limit is processed, the Lua script requests the body, causing complete buffering. If the body exceeds limits, it triggers a local reply, but the Lua filter continues the coroutine execution, potentially leading to a crash when subsequent HTTP requests attempt to interact with the destroyed filter (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM by NVD and 4.8 MEDIUM by GitHub (NVD).

The primary impact of this vulnerability is a denial of service condition through application crashes. When successfully exploited, the vulnerability can cause Envoy to crash, particularly when processing large body requests, potentially disrupting service availability (GitHub Advisory).

The vulnerability has been patched in versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, where the Lua coroutine is no longer invoked if the filter has been reset. For older unpatched versions, users can mitigate the issue by using the buffer filter to avoid triggering the local reply in the Lua filter, particularly if their Lua filter is buffering all requests/responses (GitHub Advisory).