Denial of service in the HTTP2 library used by Envoy.
|CVSS Impact Score||7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
|Affected Releases||1.4 to 1.4.9|
1.5 to 1.5.4
1.6 to 1.6.1
A vulnerability affecting the HTTP2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ). Unfortunately Istio did not benefit from a responsible disclosure process.
By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
- CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress):
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: disable-ingress-h2 namespace: istio-system spec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy match: context: GATEWAY listener: filterChain: filter: name: "envoy.http_connection_manager" patch: operation: MERGE value: typed_config: "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager codec_type: HTTP1
- For Istio 1.4.x deployments: update to Istio 1.4.10 or later.
- For Istio 1.5.x deployments: update to Istio 1.5.5 or later.
- For Istio 1.6.x deployments: update to Istio 1.6.2 or later.
We’d like to thank
Michael Barton for bringing this publicly disclosed vulnerability to our attention.
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.