Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoys HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoys header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.
The product detects a specific error, but takes no actions to handle the error.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Migration Toolkit for Containers 1.7 | RedHat | rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8:v1.7.16-6 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/grafana-rhel8:2.5.5-3 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/istio-cni-rhel8:2.5.5-4 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/istio-must-gather-rhel8:2.5.5-4 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-ossmc-rhel8:1.73.14-3 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/kiali-rhel8:1.73.15-3 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/pilot-rhel8:2.5.5-4 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/proxyv2-rhel8:2.5.5-6 | * |
| Red Hat OpenShift Service Mesh 2.5 for RHEL 8 | RedHat | openshift-service-mesh/ratelimit-rhel8:2.5.5-3 | * |