Uncontrolled Resource Consumption in envoyproxy/envoy
CVE-2024-27919
- envoyproxy/envoy
- github.com/envoyproxy/envoy
Summary
Envoy is a cloud-native, open-source edge, and service proxy. In the github.com/envoyproxy/envoy package versions 1.29.0 through 1.29.1, the Envoy HTTP/2 protocol stack is vulnerable to the "HTTP/2 CONTINUATION Flood" vulnerability via the "oghttp2" component. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send a sequence of "CONTINUATION" frames without the "END_HEADERS" bit set, causing unlimited memory consumption. This can lead to Denial of Service through memory exhaustion. Users should upgrade to version 1.29.2 to mitigate the effects of the "CONTINUATION" flood. Note that this vulnerability is a regression in Envoy versions 1.29.0 and 1.29.1, so it only affects these versions. As a workaround, it's also possible to downgrade to versions 1.28.1 or earlier or disable the HTTP/2 protocol for downstream connections.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published