Bug 2272986 (CVE-2024-30255) - CVE-2024-30255 envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood
Summary: CVE-2024-30255 envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood
Status: NEW
Alias: CVE-2024-30255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2273047 2273048 2273049 2273051 2273052 2273053 2273046 2273050
Blocks: 2268258
TreeView+ depends on / blocked
Reported: 2024-04-03 15:07 UTC by Chess Hazlett
Modified: 2024-07-11 17:33 UTC (History)
58 users (show)

Fixed In Version: envoy 1.29.3, envoy 1.28.2, envoy 1.27.4, envoy 1.26.8
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in how Envoy Proxy implements the HTTP/2 codec. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute resources to cause a Denial of Service.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:4520 0 None None None 2024-07-11 17:33:00 UTC

Description Chess Hazlett 2024-04-03 15:07:49 UTC
HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames.

Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.

Comment 5 Nick Tait 2024-04-03 19:30:45 UTC
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2273052]

Created grpcurl tracking bugs for this issue:

Affects: fedora-all [bug 2273051]

Comment 16 errata-xmlrpc 2024-07-11 17:32:57 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520

Note You need to log in before you can comment on or make changes to this bug.