CVE-2024-45810: 
Envoy vulnerability analysis and mitigation

Envoy, a cloud-native high-performance edge/middle/service proxy, contains a vulnerability (CVE-2024-45810) where the system crashes when the HTTP async client handles sendLocalReply under specific circumstances, such as websocket upgrade and requests mirroring. The vulnerability was discovered and disclosed in September 2024, affecting multiple versions of Envoy. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7 (NVD, GitHub Advisory).

The vulnerability occurs during the sendLocalReply() operation in the HTTP async client. There are two main technical issues: the HTTP async client duplicates the status code, and the router is destroyed at the destructor of the async stream while the stream is deferred deleted initially. This creates a condition where the stream decoder is destroyed but its reference is still called in router.onDestroy(), resulting in a segment fault. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 6.5 (MEDIUM) by GitHub (NVD).

The vulnerability primarily affects the system's availability, causing Envoy to crash and stop serving any traffic. This particularly impacts ext_authz functionality when the upgrade and connection headers are allowed, and request mirroring is enabled. The crash results in a complete service disruption until the system is restarted (GitHub Advisory).

The vulnerability has been patched in multiple versions: 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are strongly advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (NVD).