Envoy TCP Proxy and HTTP Mixed Use Case Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Envoy versions prior to 1.36.1, 1.35.5, 1.34.9, and 1.33.10. This issue arises in the TCP connection pool management, where large requests and responses can disrupt flow control. The problem occurs when a connection is closing but upstream data continues to flow, leading to a null reference in the buffer watermark callback. This vulnerability affects TCP proxying and mixed HTTP/1 and HTTP/2 scenarios that rely on ALPN.

Impact

Exploitation of this vulnerability causes a crash in the TCP connection pool, disrupting service and potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending large requests from slow clients to an Envoy TCP proxy, then closing the connection before all upstream data has been transmitted. This sequence can trigger the connection pool crash by creating a buffer management issue.

Remediation

Users can upgrade to Envoy versions 1.36.1, 1.35.5, 1.34.9, or 1.33.10 to address this vulnerability.