CVE-2024-30255
HTTP/2: CPU exhaustion due to CONTINUATION frame flood
In short
Envoy proxy is vulnerable to a denial-of-service attack where an attacker floods the server with HTTP/2 CONTINUATION frames, causing excessive CPU usage and making the service unavailable. This happens because Envoy doesn't properly limit these frames even after reaching its header size limits.
Technical detail
The HTTP/2 codec in Envoy prior to versions 1.29.3, 1.28.2, 1.27.4, and 1.26.8 fails to enforce limits on CONTINUATION frames without END_HEADERS bit, allowing unauthenticated remote attackers to send unlimited frames that consume approximately 1 CPU core per 300Mbit/s of malicious traffic. The attack vector is network-based and requires no authentication, resulting in CPU exhaustion and denial of service.
Summary generated and translated by AI from the official description.
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L