Bug 1844252 (CVE-2020-12605)
Summary: | CVE-2020-12605 envoy: Resource exhaustion when processing HTTP/1.1 headers with long field names | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | kconner, rcernich, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | envoy 1.14.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
An uncontrolled resource consumption vulnerability was found in Envoy. This flaw allows an attacker to craft many HTTP requests with long field names or URLs to cause the proxy to consume excessive amounts of memory, potentially resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-01 19:27:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1844256 |
Description
Pedro Sampaio
2020-06-04 21:30:27 UTC
Acknowledgments: Name: the Envoy security team External References: https://istio.io/latest/news/security/istio-security-2020-007/ Upstream commit: https://github.com/envoyproxy/envoy/commit/7ca28ff7d46454ae930e193d97b7d08156b1ba59 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2798 https://access.redhat.com/errata/RHSA-2020:2798 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12605 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2864 https://access.redhat.com/errata/RHSA-2020:2864 |