CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING.
Impact
Denial of Service in the presence of untrusted upstream servers.
Attack Vector
A sequence of H/2 frames delivered by an untrusted upstream server.
Patches
Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.
Workarounds
None
Credits
Chaoqin Li (chaoqinli@google.com)
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
If you have any questions or comments about this advisory:
Open an issue in Envoy repo
Email us at envoy-security
chaoqin-li1123 Analyst
CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING.
Impact
Denial of Service in the presence of untrusted upstream servers.
Attack Vector
A sequence of H/2 frames delivered by an untrusted upstream server.
Patches
Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.
Workarounds
None
Credits
Chaoqin Li (chaoqinli@google.com)
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
If you have any questions or comments about this advisory:
Open an issue in Envoy repo
Email us at envoy-security