ISTIO-SECURITY-2019-004

Multiple denial of service vulnerabilities related to HTTP2 support in Envoy.

Aug 13, 2019

Disclosure Details
CVE(s)CVE-2019-9512
CVE-2019-9513
CVE-2019-9514
CVE-2019-9515
CVE-2019-9518
CVSS Impact Score7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases1.1 to 1.1.12
1.2 to 1.2.3

Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:

Those vulnerabilities were reported externally and affect multiple proxy implementations. See this security bulletin for more information.

Impact and detection

If Istio terminates externally originated HTTP then it is vulnerable. If Istio is instead fronted by an intermediary that terminates HTTP (e.g., a HTTP load balancer), then that intermediary would protect Istio, assuming the intermediary is not itself vulnerable to the same HTTP/2 exploits.

Mitigation

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.