Gloo Security Update to Address Envoy Proxy Denial-of-Service CVE

Yesterday, Envoy Proxy announced Envoy version v1.11.2 addressing two CVEs where denial of service by remote attackers is possible through over consumption of memory, CPU and abnormal process termination to the proxies.

Gloo Open Source 0.20.4 and Enterprise 0.20.2 have been released and include the latest version of Envoy with CVEs addressed. We recommend that all end users upgrade to the latest version of Gloo to protect their environment. View the changelog here.

More information about the CVEs included below and in the community notification.

CVE-2019–15225

• (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Users of Envoy 1.11.1 and before may configure a route to match incoming path headers when using the libstdc++ regex implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption or abnormal process termination). More info github.com/envoyproxy/envoy/issues/8519

CVE-2019–15226

• (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 and after for HTTP/1.x traffic, and all previous versions of Envoy for HTTP/2 traffic, had O(n²) performance characteristics. A remote attacker might craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack. More info github.com/envoyproxy/envoy/issues/8520

Questions?

• Ask in the #Gloo channel of the community slack
• Check out the Gloo repo on Github
• Get more information from the Envoy team