=====================================================================

                                CERT-Renater

                     Note d'Information No. 2024/VULN180
_____________________________________________________________________

DATE                : 09/04/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Envoy versions prior to 1.29.3,
                                 1.28.2, 1.27.4, 1.26.8.

=====================================================================
https://groups.google.com/g/envoy-security-announce/c/5XgxqT2lDg8
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm
https://github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799r
_____________________________________________________________________

Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now
available


Hi Envoy community,

We would like to announce the release of the following patch
versions:

- 1.29.3
- 1.28.2
- 1.27.4
- 1.26.8

These releases resolve
[CVE-2024-30255](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm)

We would also like to disclose that versions 1.29.0 and 1.29.1
were also vulnerable to the more severe
[CVE-2024-27919](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799r)

You are encouraged to update your versions of Envoy.

Further information about the releases can be found on the Envoy
releases page:

https://github.com/envoyproxy/envoy/releases

cheers,

Ryan Northey (@phlax) 
_____________________________________________________________________


HTTP/2: CPU exhaustion due to CONTINUATION frame flood
Moderate
phlax published GHSA-j654-3ccm-vfmm Apr 4, 2024

Package
No package listed

Affected versions
< 1.29.2

Patched versions
1.29.3, 1.28.2, 1.27.4, 1.26.8


Description

Summary

HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are
vulnerable to CPU exhaustion due to flood of CONTINUATION frames.
Affected Components

HTTP/2 protocol stack.


Details

Envoy's HTTP/2 codec allows the peer to send an unlimited number
of CONTINUATION frames even after exceeding Envoy's header map
limits. This allows an attacker to send a sequence of CONTINUATION
frames without the END_HEADERS bit set causing CPU utilization,
consuming approximately 1 core per 300Mbit/s of traffic.


Impact

Denial of service through CPU exhaustion.


Attack vector(s)

Sequence of CONTINUATION frames without the END_HEADERS bit set,
from an untrusted HTTP/2 peer.


Patches

Users should upgrade to versions 1.29.3 to mitigate the effects of
the CONTINUATION flood.
Note that Envoy versions 1.29.0 and 1.29.1 are additionally impacted
by CVE-2024-27919


Workarounds

Disable HTTP/2 protocol.


Detection

High CPU utilization without corresponding increase in request load
with CPU profiles showing elevated CPU utilization in HTTP/2 codec.


Severity
Moderate

5.3/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Unchanged

Confidentiality
None

Integrity
None

Availability
Low

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID
CVE-2024-30255

Weaknesses
CWE-390

_____________________________________________________________________


HTTP/2: memory exhaustion due to CONTINUATION frame flood

High
phlax published GHSA-gghf-vfxp-799r Apr 4, 2024

Package
No package listed

Affected versions
1.29.0, 1.29.1

Patched versions
1.29.2


Description

Summary

Envoy HTTP/2 protocol stack is vulnerable to memory exhaustion due
to flood of CONTINUATION frames.


Affected Components

HTTP/2 protocol stack.


Details

Envoy's HTTP/2 codec does not reset a request when header map limits
have been exceeded. This allows an attacker to send an sequence of
CONTINUATION frames without the END_HEADERS bit set causing unlimited
memory consumption.


Impact

Denial of service through memory exhaustion.


Attack vector(s)

Sequence of CONTINUATION frames without the END_HEADERS bit set, from
an untrusted downstream client.


Patches

Users should upgrade to versions 1.29.2 to mitigate the effects of the
CONTINUATION flood.
Note that this vulnerability is a regression in Envoy version 1.29.0
and 1.29.1 only.


Workarounds

Downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol
for downstream connections.


Detection

Abnormal process termination due to memory exhaustion. Memory profiles
showing high memory consumption in HTTP/2 codec.


Severity
High

7.5/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Unchanged

Confidentiality
None

Integrity
None

Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2024-27919

Weaknesses
CWE-390



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================