Bug 2272986 (CVE-2024-30255)

Summary: CVE-2024-30255 envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, dfreiber, dhanak, drow, dsimansk, dymurray, eglynn, flucifre, gkamathe, gmeno, gparvin, ibolton, jburrell, jcantril, jjoyce, jkoehler, jmatthew, jmontleo, jschluet, jwendell, kingland, kverlaen, lbainbri, lhh, lsvaty, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mrajanna, mwringe, njean, owatkins, pahickey, periklis, pgrist, pierdipi, rcernich, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, sdawley, security-response-team, sidakwo, skontopo, slucidi, sostapov, sseago, twalsh, vereddy, vkumar, whayutin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: envoy 1.29.3, envoy 1.28.2, envoy 1.27.4, envoy 1.26.8 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in how Envoy Proxy implements the HTTP/2 codec. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute resources to cause a Denial of Service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2273047, 2273048, 2273049, 2273051, 2273052, 2273053, 2273046, 2273050    
Bug Blocks: 2268258    

Description Chess Hazlett 2024-04-03 15:07:49 UTC
HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames.

Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.

Comment 5 Nick Tait 2024-04-03 19:30:45 UTC
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2273052]

Created grpcurl tracking bugs for this issue:

Affects: fedora-all [bug 2273051]

Comment 16 errata-xmlrpc 2024-07-11 17:32:57 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520