CNCF Envoy Response Flooding Vulnerability for HTTP/1.1

A denial-of-service vulnerability has been identified in CNCF Envoy versions prior to 1.13.0. This issue arises in the HTTP/1 codec component, where Envoy can consume excessive memory when handling pipelined requests. The vulnerability is exploited by sending a TCP buffer filled with multiple HTTP requests. If the client reads the responses slowly, Envoy generates internal 400 error responses, which accumulate in the memory, leading to resource exhaustion. This issue bypasses Envoy's overload management, exacerbating the memory consumption problem.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by consuming excessive amounts of memory, which can lead to memory exhaustion and potentially cause the Envoy process to terminate.

Reproduction

To reproduce this vulnerability, send a series of pipelined HTTP/1.1 requests to an Envoy server that is running a vulnerable version. Ensure that the client reads the responses slowly. This can be done by introducing a delay in the response handling. As Envoy processes the requests, it will generate 400 error responses that are sent back to the client. If the client does not read these responses promptly, they will accumulate in the server's memory, causing excessive memory usage.

Remediation

Upgrade to Envoy versions 1.13.1 or 1.12.3, where this vulnerability has been patched.