Amazon Linux 2 Security Advisory: ALASECS-2024-038
Advisory Release Date: 2024-07-18 00:28 Pacific
Advisory Updated Date: 2024-08-01 01:11 Pacific
2024-08-01: CVE-2024-30255 was added to this advisory.
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections. (CVE-2024-30255)
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the `nlohmann` JSON library. However, due to the way the JSON library is invoked, it throws an uncaught exception, which results in a crash. This vulnerability has been patched in version 0.2.2. (CVE-2024-38525)
Affected Packages:
ecs-service-connect-agent
Note:
This advisory is applicable to Amazon Linux 2 - Ecs Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ecs-service-connect-agent to update your system.
aarch64:
ecs-service-connect-agent-v1.29.6.0-1.amzn2.aarch64
src:
ecs-service-connect-agent-v1.29.6.0-1.amzn2.src
x86_64:
ecs-service-connect-agent-v1.29.6.0-1.amzn2.x86_64