Uncontrolled Resource Consumption in envoyproxy/envoy

Summary

Envoy is a cloud-native, open-source edge, and service proxy. In the github.com/envoyproxy/envoy package versions 1.29.0 through 1.29.1, the Envoy HTTP/2 protocol stack is vulnerable to the "HTTP/2 CONTINUATION Flood" vulnerability via the "oghttp2" component. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send a sequence of "CONTINUATION" frames without the "END_HEADERS" bit set, causing unlimited memory consumption. This can lead to Denial of Service through memory exhaustion. Users should upgrade to version 1.29.2 to mitigate the effects of the "CONTINUATION" flood. Note that this vulnerability is a regression in Envoy versions 1.29.0 and 1.29.1, so it only affects these versions. As a workaround, it's also possible to downgrade to versions 1.28.1 or earlier or disable the HTTP/2 protocol for downstream connections.