CVE-2020-8659
📋 TL;DR
CVE-2020-8659 is a memory exhaustion vulnerability in CNCF Envoy proxy that allows attackers to cause denial of service by sending HTTP/1.1 requests with many small chunks. This affects Envoy deployments handling HTTP/1.1 traffic, potentially causing service disruption through resource exhaustion.
💻 Affected Systems
- CNCF Envoy
📦 What is this software?
Envoy by Cncf
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, leading to unavailability of proxied services and potential cascading failures in dependent systems.
Likely Case
Degraded performance or intermittent service disruptions as Envoy consumes excessive memory, potentially requiring restarts.
If Mitigated
Minimal impact with proper memory limits and monitoring in place, though some performance degradation may still occur during attacks.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP/1.1 requests with many small chunks. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.1 and later
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv
Restart Required: Yes
Instructions:
1. Upgrade Envoy to version 1.13.1 or later. 2. Update configuration if using custom builds. 3. Restart Envoy service. 4. Verify the fix by checking version and monitoring memory usage.
🔧 Temporary Workarounds
Limit HTTP/1.1 chunk size
allConfigure Envoy to reject or limit small chunk sizes in HTTP/1.1 requests
envoy --config-yaml 'http_filters: \n - name: envoy.filters.http.router\n typed_config: \n "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router'
Implement rate limiting
allAdd rate limiting for HTTP/1.1 connections to prevent excessive chunk attacks
Configure via Envoy's rate limit filter or external service
🧯 If You Can't Patch
- Implement network-level protections like WAF rules to detect and block HTTP/1.1 requests with many small chunks
- Deploy memory monitoring and alerting with automatic restart thresholds for Envoy processes
🔍 How to Verify
Check if Vulnerable:
Check Envoy version: if version ≤ 1.13.0 and handling HTTP/1.1 traffic, system is vulnerable.Check Version:
envoy --versionVerify Fix Applied:
Verify Envoy version is ≥ 1.13.1 and monitor memory usage during HTTP/1.1 traffic for abnormal patterns.📡 Detection & Monitoring
Log Indicators:
- High memory usage alerts
- Frequent Envoy restarts
- HTTP/1.1 requests with many small chunk headers
Network Indicators:
- Unusual patterns of HTTP/1.1 chunked transfer encoding requests
- High volume of small HTTP chunks from single sources
SIEM Query:
source="envoy" AND ("memory high" OR "chunk" OR "HTTP/1.1") | stats count by src_ip🔗 References
- https://access.redhat.com/errata/RHSA-2020:0734
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv
- https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html
- https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history
- https://access.redhat.com/errata/RHSA-2020:0734
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv
- https://lists.debian.org/debian-lts-announce/2022/05/msg00025.html
- https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history
