Summary
HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames.
Affected Components
HTTP/2 protocol stack.
Details
Envoy's HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.
Impact
Denial of service through CPU exhaustion.
Attack vector(s)
Sequence of CONTINUATION frames without the END_HEADERS bit set, from an untrusted HTTP/2 peer.
Patches
Users should upgrade to versions 1.29.3 to mitigate the effects of the CONTINUATION flood.
Note that Envoy versions 1.29.0 and 1.29.1 are additionally impacted by CVE-2024-27919
Workarounds
Disable HTTP/2 protocol.
Detection
High CPU utilization without corresponding increase in request load with CPU profiles showing elevated CPU utilization in HTTP/2 codec.
Credits
Bartek Nowotarski https://nowotarski.info/
Summary
HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames.
Affected Components
HTTP/2 protocol stack.
Details
Envoy's HTTP/2 codec allows the peer to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic.
Impact
Denial of service through CPU exhaustion.
Attack vector(s)
Sequence of CONTINUATION frames without the END_HEADERS bit set, from an untrusted HTTP/2 peer.
Patches
Users should upgrade to versions 1.29.3 to mitigate the effects of the CONTINUATION flood.
Note that Envoy versions 1.29.0 and 1.29.1 are additionally impacted by CVE-2024-27919
Workarounds
Disable HTTP/2 protocol.
Detection
High CPU utilization without corresponding increase in request load with CPU profiles showing elevated CPU utilization in HTTP/2 codec.
Credits
Bartek Nowotarski https://nowotarski.info/