Summary
Envoy HTTP/2 protocol stack is vulnerable to memory exhaustion due to flood of CONTINUATION frames.
Affected Components
HTTP/2 protocol stack.
Details
Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.
Impact
Denial of service through memory exhaustion.
Attack vector(s)
Sequence of CONTINUATION frames without the END_HEADERS bit set, from an untrusted HTTP/2 peer.
Patches
Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood.
Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only.
Workarounds
Downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol.
Detection
Abnormal process termination due to memory exhaustion. Memory profiles showing high memory consumption in HTTP/2 codec.
Credits
Bartek Nowotarski https://nowotarski.info/
Summary
Envoy HTTP/2 protocol stack is vulnerable to memory exhaustion due to flood of CONTINUATION frames.
Affected Components
HTTP/2 protocol stack.
Details
Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.
Impact
Denial of service through memory exhaustion.
Attack vector(s)
Sequence of CONTINUATION frames without the END_HEADERS bit set, from an untrusted HTTP/2 peer.
Patches
Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood.
Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only.
Workarounds
Downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol.
Detection
Abnormal process termination due to memory exhaustion. Memory profiles showing high memory consumption in HTTP/2 codec.
Credits
Bartek Nowotarski https://nowotarski.info/