Bug 1844252 (CVE-2020-12605)

Summary: CVE-2020-12605 envoy: Resource exhaustion when processing HTTP/1.1 headers with long field names
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kconner, rcernich, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.14.2 Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption vulnerability was found in Envoy. This flaw allows an attacker to craft many HTTP requests with long field names or URLs to cause the proxy to consume excessive amounts of memory, potentially resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-01 19:27:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1844256    

Description Pedro Sampaio 2020-06-04 21:30:27 UTC 
Envoy through 1.14.1 may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs.
Comment 1 Pedro Sampaio 2020-06-04 21:35:15 UTC 
Acknowledgments:

Name: the Envoy security team
Comment 3 Mark Cooper 2020-06-30 22:04:04 UTC 
External References:

https://istio.io/latest/news/security/istio-security-2020-007/
Comment 4 Mark Cooper 2020-06-30 23:10:18 UTC 
Upstream commit: https://github.com/envoyproxy/envoy/commit/7ca28ff7d46454ae930e193d97b7d08156b1ba59
Comment 5 errata-xmlrpc 2020-07-01 18:44:32 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2798 https://access.redhat.com/errata/RHSA-2020:2798
Comment 6 Product Security DevOps Team 2020-07-01 19:27:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12605
Comment 7 errata-xmlrpc 2020-07-07 19:34:33 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2864 https://access.redhat.com/errata/RHSA-2020:2864