Envoy Rate Limit Filter Response Phase Crash Vulnerability

A denial-of-service vulnerability has been identified in Envoy versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13. The issue arises in the rate limit filter when both request and response phase limits are enabled. If the response phase limit request fails directly, it can lead to a crash. This occurs because the gRPC client instance, which is reused for both phases, does not properly clean up the inner state after the request phase, allowing the response phase to access stale data and cause a failure.

Impact

Exploiting this vulnerability can cause Envoy to crash, disrupting service availability.

Reproduction

The vulnerability can be reproduced by enabling both the request and response phase limits in the rate limit filter, and then causing a network failure that leads to a direct failure of the response phase limit request. This can be simulated by mocking a network failure or through a unit test that replicates the failure scenario.

Remediation

Users can split the rate limit configuration into two separate filters: one for normal rate limits without 'apply_on_stream_done', and another for those with 'apply_on_stream_done'. This separation can prevent the issue from occurring.