1844255 – (CVE-2020-12604) CVE-2020-12604 envoy: Resource exhaustion via HTTP/2 client requests with large payloads and improper stream windows

Bug 1844255 (CVE-2020-12604) - CVE-2020-12604 envoy: Resource exhaustion via HTTP/2 client requests with large payloads and improper stream windows

Summary: CVE-2020-12604 envoy: Resource exhaustion via HTTP/2 client requests with lar...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-12604
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1844256
TreeView+	depends on / blocked

Reported:	2020-06-04 21:38 UTC by Pedro Sampaio
Modified:	2021-02-16 19:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:	envoy 1.14.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-01 19:27:53 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:2798	0	None	None	None	2020-07-01 18:44:36 UTC
Red Hat Product Errata	RHSA-2020:2864	0	None	None	None	2020-07-07 19:34:40 UTC

Description Pedro Sampaio 2020-06-04 21:38:30 UTC

Envoy through 1.14.1 is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. The attacker can cause data associated with many streams to be buffered forever.

Comment 1 Pedro Sampaio 2020-06-04 21:38:34 UTC

Acknowledgments:

Name: the Envoy security team

Comment 4 Mark Cooper 2020-06-30 22:04:15 UTC

External References:

https://istio.io/latest/news/security/istio-security-2020-007/

Comment 5 Mark Cooper 2020-06-30 23:16:50 UTC

Upstream commit: https://github.com/envoyproxy/envoy/commit/5eba69a1f375413fb93fab4173f9c393ac8c2818

Comment 6 errata-xmlrpc 2020-07-01 18:44:35 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2798 https://access.redhat.com/errata/RHSA-2020:2798

Comment 7 Product Security DevOps Team 2020-07-01 19:27:53 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12604

Comment 8 errata-xmlrpc 2020-07-07 19:34:38 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2864 https://access.redhat.com/errata/RHSA-2020:2864

Note You need to log in before you can comment on or make changes to this bug.