Gloo Security Update to Address Envoy Proxy Denial-of-Service CVE

Solo.io Engineering | October 9, 2019

Yesterday, Envoy Proxy announced Envoy version v1.11.2 addressing two CVEs where denial of service by remote attackers is possible through over consumption of memory, CPU and abnormal process termination to the proxies.

Gloo Open Source 0.20.4 and Enterprise 0.20.2 have been released and include the latest version of Envoy with CVEs addressed. We recommend that all end users upgrade to the latest version of Gloo to protect their environment. View the changelog here.

More information about the CVEs included below and in the community notification.

CVE-2019–15225

CVE-2019–15226

  • (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 and after for HTTP/1.x traffic, and all previous versions of Envoy for HTTP/2 traffic, had O(n²) performance characteristics. A remote attacker might craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack. More info github.com/envoyproxy/envoy/issues/8520

Questions?

Back to Blog