Skip to content

Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components

Moderate
phlax published GHSA-xcj3-h7vf-fw26 Jun 4, 2024

Package

source/common/http/async_client_impl.cc (Envoyproxy)

Affected versions

< 1.30.2

Patched versions

1.30.2, 1.29.5, 1.28.4, 1.27.6

Description

Summary

Envoy exposed an out-of-memory (OOM) vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer.

Details

If a mirror cluster decides to send extremely large response messages, those messages are fully buffered in memory by the async HTTP client. This allows a malicious backend to potentially OOM Envoys by sending huge responses.

Other components that are using HTTP async client in Envoy may also be impacted.

  • wasm filter
  • lua filter
  • ext_proc
  • oauth fitler
  • ext_authz
  • jwks_fetcher
  • gcp_auther_filter
  • aws_metadata_fetcher
  • opentelemetry/http_trace_exporter,
  • opentelemetry/dynatrace/sampler_config_provider
  • config_subscription/rest/rest_api_fetcher
  • rate_limiter

Most of the auth/log related extensions assume trusted upstream, while wasm, lua, and ext_proc may not assume it.

Impact

Denial of service and Envoy will be OOMed.

Mitigation

Patched versions:

  • disable buffering the mirror response, as Envoy will never use it.
  • provide a configuration for the HTTP async client with a default hard limit. Users can set the limit through a runtime key based on needs, protection mechanism, security posture, etc.

Credit

Reported by: Paul Ogilby [email protected] (@paul-r-gall)

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-34364

Weaknesses

No CWEs

Credits