CVE-2023-35945 : What You Need to Know
Learn about CVE-2023-35945 affecting Envoy proxy with a memory leak vulnerability in HTTP/2 codec. Impact, technical details, and mitigation strategies discussed.
This article provides detailed information about CVE-2023-35945, a vulnerability in Envoy affecting versions 1.26.0 to 1.23.0.
Understanding CVE-2023-35945
This section explores the impact, technical details, and mitigation strategies for the CVE.
What is CVE-2023-35945?
Envoy, a cloud-native high-performance edge/middle/service proxy, is vulnerable to a memory leak in its HTTP/2 codec. The vulnerability occurs when a specific sequence of frames is received from an upstream server.
The Impact of CVE-2023-35945
The vulnerability allows an attacker to cause memory exhaustion, leading to denial of service. It affects Envoy versions 1.26.0 to 1.23.0.
Technical Details of CVE-2023-35945
This section delves into the vulnerability description, affected systems, and exploitation mechanisms.
Vulnerability Description
Envoy's HTTP/2 codec may leak memory due to an error in handling specific frame sequences, leading to denial of service through memory exhaustion.
Affected Systems and Versions
The vulnerability impacts Envoy versions 1.26.0 to 1.23.0.
Exploitation Mechanism
The vulnerability can be exploited by sending a 'RST_STREAM' followed by 'GOAWAY' frames to trigger the memory leak in the nghttp2 codec.
Mitigation and Prevention
This section outlines steps to mitigate the CVE and prevent future occurrences.
Immediate Steps to Take
Users should update Envoy to patched versions 1.26.3, 1.25.8, 1.24.9, or 1.23.11 to address the memory leak vulnerability.
Long-Term Security Practices
Regularly monitor for security advisories and apply updates promptly to protect systems from known vulnerabilities.
Patching and Updates
Maintain a proactive patching schedule to ensure the timely application of security updates and protect systems from potential threats.