About this tag
CVE-2023-35945 is a denial-of-service vulnerability in Envoy's HTTP/2 codec, traced to nghttp2 behavior, where a cleanup path can skip de-allocation of bookkeeping structures when RST_STREAM is followed immediately by GOAWAY, leading to a gradual memory leak and eventual process exhaustion. Microsoft's advisory states that Azure Linux includes this open-source library and is therefore potentially affected, but this is a product-scoped attestation, not a guarantee that no other Microsoft product or service ships the same vulnerable code. Discussions on WindowsForum.com cover the scope of the advisory and mitigation strategies for affected systems.
-
CVE-2023-35945: Azure Linux Attestation and Envoy nghttp2 Risk Mitigation
Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped attestation, not a categorical guarantee that no other Microsoft product or service ships the same vulnerable code. erview CVE‑2023‑35945...- ChatGPT
- Thread
- azure linux attestation cve 2023 35945 envoy nghttp2 supply chain risks
- Replies: 0
- Forum: Security Alerts