Bug 2242010

Summary: envoy: Denial of service when using HTTP/2 protocol
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jwendell, rcernich, security-response-team, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoy 1.27.1, envoy 1.26.5, envoy 1.25.10, envoy 1.24.11 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found under Istio Envoy which leads to Denial of service when using HTTP/2 protocol. In the basic form the attack submits a high number of requests, starving legitimate connections of CPU, causing either elevated latencies or request timeouts. In more complicated production scenarios, Envoy is often integrated with sidecar services, such as rate limiter, ext_authz or WAF. Envoy may be configured to fail open when a sidecar service times out, to prevent sidecar service outage from impacting user traffic. In this case the attack may cause request timeouts to the sidecar services, and (if they fail open) the abusive requests reaching backend services.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-16 19:49:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2241333    

Description Patrick Del Bello 2023-10-03 20:34:19 UTC 
A flaw was found under Istio Envoy which leads to Denial of service when using HTTP/2 protocol. In the basic form the attack submits a high number of requests, starving legitimate connections of CPU, causing either elevated latencies or request timeouts.

In more complicated production scenarios, Envoy is often integrated with sidecar services, such as rate limiter, ext_authz or WAF. Envoy may be
configured to fail open when a sidecar service times out, to prevent sidecar service outage from impacting user traffic. In this case the attack
may cause request timeouts to the sidecar services, and (if they fail open) the abusive requests reaching backend services.

The attack can be detected by observing elevated `downstream_rq_http2_total` or `downstream_rq_http3_total` counters without
a substantial increase in the `downstream_cx_active` counter. In some known forms of  attack the value of `downstream_rq_rx_reset` will be elevated,
while during other known forms of attack the `downstream_rq_5xx` or `downstream_rq_4xx` will be elevated.
Comment 3 Anten Skrabec 2023-10-16 19:49:32 UTC 

*** This bug has been marked as a duplicate of bug 2243296 ***
Comment 4 errata-xmlrpc 2023-10-19 22:23:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:5951 https://access.redhat.com/errata/RHSA-2023:5951
Comment 5 errata-xmlrpc 2023-10-19 22:23:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2023:5952 https://access.redhat.com/errata/RHSA-2023:5952