Skip to content

gRPC access log crash caused by the listener draining

Moderate
phlax published GHSA-69vr-g55c-v2v4 Jul 25, 2023

Package

Envoy

Affected versions

< 1.27.0

Patched versions

1.26.4, 1.25.9, 1.24.10, 1.23.12

Description

Summary

gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained.

Impacted Component

opentelemetry/gRPC access logger extension

Details

If the listener is drained while the cached gRPC access logger is still using the listener's global scope for stats, a use-after-free will cause Envoy to crash

PoC

  • Envoy starts serving the traffic with listener and gRPC access log setting.
  • LDS update modifies the listener, causing the previous one to be drained. If the config has the same gRPC access logger it is not removed from the cache.
  • A new request comes in, and the gRPC access logger is still referencing the previous listeners' scope for stats causing a crash.

Attack vector(s)

Untrusted LDS upstream.

Impact

Denial of service and rejection of requests.

Mitigation

Disable gRPC access log or stop listener update

Credits

William Sears wsears@akamai.com

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-35942

Weaknesses

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory belongs to the code that operates on the new pointer. Learn more on MITRE.

Credits