You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
lahabana
published
GHSA-9wmc-rg4h-28wvOct 12, 2023
Package
kuma-cp,kuma-dp
(binary)
Affected versions
2.4.2,2.3.2,2.2.3,2.1.7,2.0.7
Patched versions
2.4.3,2.3.3,2.2.4,2.1.8,2.0.8
Description
Impact
Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames.
This can be exercised if you use the builtin gateway and receive untrusted http2 traffic.
Impact
Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames.
This can be exercised if you use the builtin gateway and receive untrusted http2 traffic.
Patches
#8023
#8001
#8034
Workarounds
Disable http2 on the gateway listener with a MeshProxyPatch or ProxyTemplate.
References
GHSA-qppj-fm5r-hxr3
golang/go#63417
GHSA-jhv4-f7mr-xx76
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/?sf269548684=1
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge