2272986 – (CVE-2024-30255) CVE-2024-30255 envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood

Bug 2272986 (CVE-2024-30255) - CVE-2024-30255 envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood

Summary: CVE-2024-30255 envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood

Keywords:
Status:	NEW
Alias:	CVE-2024-30255
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2273052 2273046 2273047 2273048 2273049 2273050 2273051 2273053 2306526
Blocks:	2268258
TreeView+	depends on / blocked

Reported:	2024-04-03 15:07 UTC by Chess Hazlett
Modified:	2025-05-06 08:28 UTC (History)
CC List:	56 users (show)
Fixed In Version:	envoy 1.29.3, envoy 1.28.2, envoy 1.27.4, envoy 1.26.8
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:4520	0	None	None	None	2024-07-11 17:33:00 UTC
Red Hat Product Errata	RHSA-2024:7725	0	None	None	None	2024-10-07 09:25:50 UTC

Description Chess Hazlett 2024-04-03 15:07:49 UTC

HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames.

Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.

Comment 5 Nick Tait 2024-04-03 19:30:45 UTC

Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2273052]


Created grpcurl tracking bugs for this issue:

Affects: fedora-all [bug 2273051]

Comment 16 errata-xmlrpc 2024-07-11 17:32:57 UTC

This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:4520 https://access.redhat.com/errata/RHSA-2024:4520

Comment 17 errata-xmlrpc 2024-10-07 09:25:47 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:7725 https://access.redhat.com/errata/RHSA-2024:7725

Note You need to log in before you can comment on or make changes to this bug.

amctagga
aoconnor
bniver
dfreiber
dhanak
drow
dsimansk
dymurray
eglynn
flucifre
gkamathe
gmeno
gparvin
ibolton
jburrell
jcantril
jjoyce
jkoehler
jmatthew
jmontleo
jschluet
jwendell
kingland
kverlaen
lbainbri
lhh
lsvaty
matzew
mbenjamin
mburns
mgarciac
mhackett
mnovotny
mrajanna
mwringe
njean
owatkins
pahickey
pgrist
pierdipi
rcernich
rguimara
rhaigner
rhos-maint
rhuss
rjohnson
sdawley
security-response-team
sidakwo
slucidi
sostapov
sseago
twalsh
vereddy
vkumar
whayutin