Incorrect handling of H2 GOAWAY + SETTINGS frames
Package
Affected versions
< 0.15.1
Patched versions
0.15.1
Description
Published by the National Vulnerability Database
Sep 9, 2021
Reviewed
Sep 10, 2021
Published to the GitHub Advisory Database
Sep 10, 2021
Last updated
Feb 1, 2023
Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event.
Impact
This can lead to a DoS in the presence of untrusted upstream servers.
Patches
0.15.1 contains an upgraded envoy binary with this vulnerability patched.
Workarounds
If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
References
envoy GSA
envoy CVE
envoy announcement
For more information
If you have any questions or comments about this advisory:
References