CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset.
Impact
Denial of Service when Envoy is configured with high limit on HTTP/2 concurrent streams.
Attack vector
A client opening and closing a large number of HTTP/2 streams.
Patches
Envoy versions 1.19.1, 1.18.4, 1.17.4 contain fixes to reduce time complexity of resetting HTTP/2 streams.
IMPORTANT: Due to significant divergence in affected source code between Envoy versions 1.16 and 1.17 it is not feasible to backport the fix into the the 1.16 stable branch without increasing the risk of destabilizing it. As a result operators of Envoy version 1.16 are recommended to apply workaround listed below. See recommended edge settings for instructions about changing this setting.
Workarounds
Limit the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number, i.e. 10.
Credits
Nikolas Koutounidis koutounidis.nikolaos@gmail.com
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
If you have any questions or comments about this advisory:
Open an issue in Envoy repo
Email us at envoy-security
CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset.
Impact
Denial of Service when Envoy is configured with high limit on HTTP/2 concurrent streams.
Attack vector
A client opening and closing a large number of HTTP/2 streams.
Patches
Envoy versions 1.19.1, 1.18.4, 1.17.4 contain fixes to reduce time complexity of resetting HTTP/2 streams.
IMPORTANT: Due to significant divergence in affected source code between Envoy versions 1.16 and 1.17 it is not feasible to backport the fix into the the 1.16 stable branch without increasing the risk of destabilizing it. As a result operators of Envoy version 1.16 are recommended to apply workaround listed below. See recommended edge settings for instructions about changing this setting.
Workarounds
Limit the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number, i.e. 10.
Credits
Nikolas Koutounidis koutounidis.nikolaos@gmail.com
References
https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases
For more information
If you have any questions or comments about this advisory:
Open an issue in Envoy repo
Email us at envoy-security