Detection of Error Condition Without Action Affecting envoyproxy/envoy package, versions [1.29.0,1.29.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UNMANAGED-ENVOYPROXYENVOY-6564975
  • published 5 Apr 2024
  • disclosed 4 Apr 2024

How to fix?

Upgrade envoyproxy/envoy to version 1.29.2 or higher.

Overview

Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to HTTP/2 codec not resetting a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.

Note:

Common detection causes:

  1. Abnormal process termination due to memory exhaustion.

  2. Memory profiles showing high memory consumption in HTTP/2 codec.

Workaround

Downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

References

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High