CVE-2021-39204
📋 TL;DR
This CVE describes a denial-of-service vulnerability in Envoy's HTTP/2 stream reset handling that affects Pomerium identity-aware access proxies. Attackers can cause high CPU utilization by resetting large numbers of HTTP/2 streams, potentially making the service unavailable. Organizations running vulnerable Pomerium versions are affected.
💻 Affected Systems
- Pomerium
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Pomerium by Pomerium
Pomerium by Pomerium
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Pomerium proxy, blocking all identity-aware access to protected applications and services.
Likely Case
Degraded performance and intermittent availability issues affecting application access through Pomerium.
If Mitigated
Minimal impact with proper monitoring and rapid response to anomalous traffic patterns.
🎯 Exploit Status
HTTP/2 protocol manipulation required but no authentication needed. DoS attacks are relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.8 or 0.15.1
Vendor Advisory: https://github.com/pomerium/pomerium/security/advisories/GHSA-5wjf-62hw-q78r
Restart Required: Yes
Instructions:
1. Stop Pomerium service. 2. Update to Pomerium 0.14.8 or 0.15.1. 3. Restart Pomerium service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Rate limit HTTP/2 connections
allConfigure rate limiting on HTTP/2 connections to reduce impact of stream reset attacks
# Configure in Pomerium configuration YAML
rate_limits:
http2_connections: 1000
🧯 If You Can't Patch
- Implement network-level rate limiting for HTTP/2 traffic to Pomerium instances
- Deploy additional Pomerium instances behind load balancer to distribute potential DoS impact
🔍 How to Verify
Check if Vulnerable:
Check Pomerium version: if version is <0.14.8 or =0.15.0, system is vulnerableCheck Version:
pomerium --versionVerify Fix Applied:
Confirm Pomerium version is 0.14.8 or 0.15.1 or later📡 Detection & Monitoring
Log Indicators:
- Spike in CPU utilization logs
- Increased HTTP/2 stream reset errors in Envoy logs
- Connection timeout errors
Network Indicators:
- Unusual volume of HTTP/2 RST_STREAM frames
- High number of short-lived HTTP/2 connections
SIEM Query:
source="pomerium" AND ("high cpu" OR "stream reset" OR "connection limit")🔗 References
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc
- https://github.com/pomerium/pomerium/security/advisories/GHSA-5wjf-62hw-q78r
- https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc
- https://github.com/pomerium/pomerium/security/advisories/GHSA-5wjf-62hw-q78r
- https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
