CVE-2024-23327: 
NixOS vulnerability analysis and mitigation

CVE-2024-23327 affects Envoy, a high-performance edge/middle/service proxy. The vulnerability was discovered and disclosed in February 2024, where a segmentation fault occurs when Proxy Protocol v2 (PPv2) is enabled on both a listener and subsequent cluster. This specifically happens when the downstream request has a command type of LOCAL and does not have the protocol block (GitHub Advisory, NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) issue. When attempting to craft the upstream PPv2 header, Envoy will segfault if specific conditions are met. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is a Denial of Service (DoS) condition through application crash. The vulnerability affects the availability of the service while having no direct impact on confidentiality or integrity. This is particularly concerning for environments using AWS Network Load Balancer (NLB) health checks with proxy protocol enabled (GitHub Advisory).

The vulnerability has been fixed in multiple Envoy versions: 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are strongly advised to upgrade to these patched versions. There are no known workarounds for this vulnerability other than upgrading to a fixed version (NVD).