Envoy Use-After-Free Vulnerability in DNS Cache Leading to Denial-of-Service

A use-after-free vulnerability has been identified in Envoy versions 1.34.0 prior to 1.34.4 and 1.35.0, within the DNS cache. This vulnerability causes abnormal process termination and is related to Envoy's Dynamic Forward Proxy implementation. The issue arises when a completion callback for a DNS resolution either triggers new DNS resolutions or removes existing pending ones. This scenario can occur if the Dynamic Forwarding Filter is enabled, the 'envoy.reloadable_features.dfp_cluster_resolves_hosts' runtime flag is active, and the Host header is altered between the Dynamic Forwarding Filter and Router filters.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Envoy process to terminate unexpectedly.

Reproduction

To reproduce this vulnerability, enable the Dynamic Forwarding Filter and the 'envoy.reloadable_features.dfp_cluster_resolves_hosts' runtime flag. Then, modify the Host header between the Dynamic Forwarding Filter and Router filters. This will create a situation where a DNS completion callback can interfere with pending DNS resolutions, triggering the use-after-free condition.

Remediation

Users should upgrade to Envoy versions 1.34.5 or 1.35.1. If an immediate upgrade is not possible, the 'envoy.reloadable_features.dfp_cluster_resolves_hosts' runtime flag can be set to false as a temporary workaround.