CVE-2023-35945
📋 TL;DR
Envoy's HTTP/2 implementation has a memory leak vulnerability when receiving RST_STREAM followed by GOAWAY frames from upstream servers. This allows attackers to cause denial of service through memory exhaustion by repeatedly triggering the condition. All Envoy deployments using affected versions are vulnerable.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Nghttp2 by Nghttp2
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, causing Envoy to crash or become unresponsive, potentially affecting all traffic through the proxy.
Likely Case
Degraded performance and intermittent service disruptions as memory consumption increases, requiring manual intervention to restart services.
If Mitigated
Minimal impact with proper monitoring and rapid response to memory spikes, but still requires patching to eliminate the vulnerability.
🎯 Exploit Status
Exploitation requires sending specific HTTP/2 frame sequences but doesn't require authentication. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.26.3, 1.25.8, 1.24.9, or 1.23.11
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
Restart Required: Yes
Instructions:
1. Identify current Envoy version. 2. Upgrade to patched version (1.26.3, 1.25.8, 1.24.9, or 1.23.11). 3. Restart Envoy service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Rate limit upstream connections
allLimit the rate of HTTP/2 connections from upstream servers to reduce attack surface
# Configure connection rate limiting in Envoy configuration
# Example: circuit_breaker thresholds or connection limits
Monitor memory usage
allImplement aggressive memory monitoring and automatic restart thresholds
# Set up monitoring alerts for Envoy memory usage
# Example: alert if memory > 80% for 5 minutes
🧯 If You Can't Patch
- Implement strict network controls to limit which upstream servers can communicate with Envoy
- Deploy memory monitoring with automatic restart policies when memory thresholds are exceeded
🔍 How to Verify
Check if Vulnerable:
Check Envoy version: if running version before 1.26.3, 1.25.8, 1.24.9, or 1.23.11, the system is vulnerable.Check Version:
envoy --versionVerify Fix Applied:
Confirm Envoy is running patched version (1.26.3, 1.25.8, 1.24.9, or 1.23.11) and monitor memory usage for stability.📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption patterns
- Frequent restarts due to memory exhaustion
- HTTP/2 connection errors with GOAWAY frames
Network Indicators:
- Unusual patterns of RST_STREAM followed by GOAWAY frames
- HTTP/2 traffic from unexpected sources
SIEM Query:
source="envoy" AND ("memory" OR "restart" OR "GOAWAY")🔗 References
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
- https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
- https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346
