Amazon Linux 2 Security Advisory: ALASECS-2025-047
Advisory Release Date: 2025-02-12 23:08 Pacific
Advisory Updated Date: 2025-02-25 09:10 Pacific
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold. (CVE-2024-53270)
Affected Packages:
ecs-service-connect-agent
Note:
This advisory is applicable to Amazon Linux 2 - Ecs Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ecs-service-connect-agent to update your system.
aarch64:
ecs-service-connect-agent-v1.29.12.0-1.amzn2.aarch64
src:
ecs-service-connect-agent-v1.29.12.0-1.amzn2.src
x86_64:
ecs-service-connect-agent-v1.29.12.0-1.amzn2.x86_64