Rapid7 Vulnerability & Exploit Database

Amazon Linux AMI 2: CVE-2023-27493: Security patch for ecs-service-connect-agent (ALASECS-2023-003)

Free InsightVM Trial No credit card necessary
Watch Demo See how it all works
Back to Search

Amazon Linux AMI 2: CVE-2023-27493: Security patch for ecs-service-connect-agent (ALASECS-2023-003)

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
04/04/2023
Created
07/14/2023
Added
07/14/2023
Modified
07/14/2023

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy does not sanitize or escape request properties when generating request headers. This can lead to characters that are illegal in header values to be sent to the upstream service. In the worst case, it can cause upstream service to interpret the original request as two pipelined requests, possibly bypassing the intent of Envoy’s security policy. Versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9 contain a patch. As a workaround, disable adding request headers based on the downstream request properties, such as downstream certificate properties.

Solution(s)

  • amazon-linux-ami-2-upgrade-ecs-service-connect-agent
  • amazon-linux-ami-2-upgrade-ecs-service-connect-agent-debuginfo

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;