Detection of Error Condition Without Action Affecting envoyproxy/envoy package, versions [1.29.0,1.29.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-ENVOYPROXYENVOY-6564975
  • published5 Apr 2024
  • disclosed4 Apr 2024

Introduced: 4 Apr 2024

CVE-2024-27919  (opens in a new tab)
CWE-390  (opens in a new tab)

How to fix?

Upgrade envoyproxy/envoy to version 1.29.2 or higher.

Overview

Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to HTTP/2 codec not resetting a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.

Note:

Common detection causes:

  1. Abnormal process termination due to memory exhaustion.

  2. Memory profiles showing high memory consumption in HTTP/2 codec.

Workaround

Downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

References

CVSS Scores

version 3.1