Understanding the Gartner® Market Guide for Cloud-Native Application Protection Platforms

How the market is evolving and why now, more than ever, you need a CNAPP...

CVE-2024-40636

Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service UR...

A Bootiful Podcast: Cloud Native Cora Iberkleid on architecture, Spring Modulith, and more

Hi, Spring fans! Welcome to another installment of a Bootiful Podcast! In today’s episode, I talk to cloud native Cora Iberkleid about the awesome modular sensation that’s sweeping applications, Spring Modulith!...

BIT-ENVOY-2024-39305 Envoy Proxy use after free when route hash policy is configured with cookie attributes

Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be...

CVE-2024-39305 Envoy Proxy use after free when route hash policy is configured with cookie attributes

Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be...

This Week in Spring - June 25th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I'm in beautiful Amsterdam, having visited with customers and spoken at a local Java User Group. Now I'm off to lovely London, UK. Last week I was in Krakow, Poland, for the amazing Devoxx PL event, and in Par...

Amazon Linux 2 : ecs-service-connect-agent (ALASECS-2024-037)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.29.5.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2024-037 advisory. Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling...

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2024-647)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-647 advisory. 2024-07-17: CVE-2024-30255 was added to this advisory. Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a serve...

A Bootiful Podcast: Thomas Vitale, author of Cloud Native Spring in Action

Hi, Spring fans! In today's episode I'm thrilled to sit down with my friend and Cloud Native Spring in Action author Thomas Vitale. This episode was recorded live at the amazing Spring IO 2024 event...

A Bootiful Podcast: Abdel Sghiouar, Cloud Native Developer Advocate at Google

Hi, Spring fans! Abdel Sghiouar is a senior Cloud Native Developer Advocate at Google, a co-host of the Kubernetes Podcast by Google and a CNCF Ambassador, and it was my pleasure to sit down with him at the amazing Spring IO event in Barcelona and catch up on all things Kubernetes and Google...

Apache Submarine SQL Injection Vulnerability

Apache Submarine is a cloud-native machine learning platform from the Apache USA Foundation. An SQL injection vulnerability exists in Apache Submarine Server Core, which stems from improper neutralization of the particular element used...

BIT-ENVOY-2024-32974 Envoy affected by a crash in EnvoyQuicServerStream::OnInitialHeadersComplete()

Envoy is a cloud-native, open source edge and service proxy. A crash was observed in EnvoyQuicServerStream::OnInitialHeadersComplete with following call stack. It is a use-after-free caused by QUICHE continuing push request headers after StopReading being called on the stream. As after StopReadin...

BIT-ENVOY-2024-32976 Envoy can enter an endless loop while decompressing Brotli data with extra input

Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input...

BIT-ENVOY-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream

Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...

BIT-ENVOY-2024-34363 Envoy can crash due to uncaught nlohmann JSON exception

Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to crash...

CVE-2024-32976

Envoy is a cloud-native, open source edge and service proxy. Envoyproxy with a Brotli filter can get into an endless loop during decompression of Brotli data with extra input...

CVE-2024-34363

Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to crash...

CVE-2024-34362

Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...

CVE-2024-23326

Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into a response. Per RFC https://www.rfc-editor.org/rfc/rfc7230section-6.7 a server sends 101 when switching...

CVE-2024-32975

Envoy is a cloud-native, open source edge and service proxy. There is a crash at QuicheDataReader::PeekVarInt62Length. It is caused by integer underflow in the QuicStreamSequencerBuffer::PeekRegion implementation...