Summary
gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained.
Impacted Component
opentelemetry/gRPC access logger extension
Details
If the listener is drained while the cached gRPC access logger is still using the listener's global scope for stats, a use-after-free will cause Envoy to crash
PoC
- Envoy starts serving the traffic with listener and gRPC access log setting.
- LDS update modifies the listener, causing the previous one to be drained. If the config has the same gRPC access logger it is not removed from the cache.
- A new request comes in, and the gRPC access logger is still referencing the previous listeners' scope for stats causing a crash.
Attack vector(s)
Untrusted LDS upstream.
Impact
Denial of service and rejection of requests.
Mitigation
Disable gRPC access log or stop listener update
Credits
William Sears wsears@akamai.com
Summary
gRPC access loggers using the listener's global scope can cause a
use-after-freecrash when the listener is drained.Impacted Component
opentelemetry/gRPC access logger extension
Details
If the listener is drained while the cached gRPC access logger is still using the listener's global scope for stats, a
use-after-freewill cause Envoy to crashPoC
Attack vector(s)
Untrusted LDS upstream.
Impact
Denial of service and rejection of requests.
Mitigation
Disable gRPC access log or stop listener update
Credits
William Sears wsears@akamai.com