Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.
The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.
To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.
Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.
Am I at Risk?
Not all Envoy users will be directly impacted by these vulnerabilities.
Users using Envoy as a HTTP/2 proxy communicating directly with untrusted peers are vulnerable. Deployments communicating only with trusted HTTP/2 peers (e.g. hosted behind Cloud HTTP load balancers) are not vulnerable, but we still recommend updating them. Users using Envoy as a TCP proxy and/or HTTP/1.1 proxy are not affected.
To see if you’re running a vulnerable version of Envoy, run envoy --version and if it indicates a base version of 1.12.3, 1.13.1, 1.14.1 or older then you are running a vulnerable version.
If you’re running GetEnvoy, upgrade GetEnvoy to last version and run: getenvoy verify
to see if your installed Envoy contains the security fixes. If yours doesn’t, please run: getenvoy fetch to get the latest build from us.
How do I mitigate?
The vulnerable Envoy versions can mitigate those vulnerabilities by disabling HTTP2 and allowing only HTTP/1.1 by setting http_connection_manager.codec_type to “HTTP1” and removing “h2” from common_tls_context.alpn_protocols.
Please note that while virtually all HTTP clients can use HTTP/1.1 and HTTP/2 interchangeably, proxying gRPC requires HTTP/2 and it won’t work when HTTP/2 is disabled.
For Istio mitigation, too, HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress):
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: disable-ingress-h2
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
codec_type: HTTP1
How do I upgrade Envoy?
To get our latest release, run getenvoy fetch
You can also upgrade to 1.12.4, 1.13.2 or 1.14.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.12.4, v1.13.2 or v1.14.2 tag or 8b6ea4eaf95c7fa4822a35b25e6984fb2a718b49 @ master.
Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.
Have questions?
Reach out to the Envoy community on #envoy-cve if you have any further questions. Reach out to Tetrate at info@tetrate.io for more information on GetEnvoy or to tap our Envoy maintainers and Envoy security experts.
Envoy is a participant in Google’s Vulnerability Reward Program (VRP). This is open to all security researchers and will provide rewards for discovering vulnerabilities.
The Istio patch is available from www.istio.io.
Tetrate will continue to work in close coordination with Istio and the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.