ISTIO-SECURITY-2020-006
Denial of service in the HTTP2 library used by Envoy.
Disclosure Details | |
---|---|
CVE(s) | CVE-2020-11080 |
CVSS Impact Score | 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Affected Releases | 1.4 to 1.4.9 1.5 to 1.5.4 1.6 to 1.6.1 |
A vulnerability affecting the HTTP2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ). Unfortunately Istio did not benefit from a responsible disclosure process.
- CVE-2020-11080:
By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
- CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Mitigation
HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress):
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: disable-ingress-h2
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: HTTP1
- For Istio 1.4.x deployments: update to Istio 1.4.10 or later.
- For Istio 1.5.x deployments: update to Istio 1.5.5 or later.
- For Istio 1.6.x deployments: update to Istio 1.6.2 or later.
Credit
We’d like to thank Michael Barton
for bringing this publicly disclosed vulnerability to our attention.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.