Amazon Linux 2023 Security Advisory: ALAS-2025-850
Advisory Release Date: 2025-02-12 22:57 Pacific
Advisory Updated Date: 2025-02-21 13:45 Pacific
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold. (CVE-2024-53270)
Affected Packages:
ecs-service-connect-agent
Issue Correction:
Run dnf update ecs-service-connect-agent --releasever 2023.6.20250218 to update your system.
aarch64:
ecs-service-connect-agent-v1.29.12.0-1.amzn2023.aarch64
src:
ecs-service-connect-agent-v1.29.12.0-1.amzn2023.src
x86_64:
ecs-service-connect-agent-v1.29.12.0-1.amzn2023.x86_64