Skip to content

Crash in HTTP2 when empty METADATA map triggers a reachable assertion.

High
mattklein123 published GHSA-rqvq-hxw5-776j Apr 15, 2021

Package

No package listed

Affected versions

1.17.1, 1.16.2, 1.15.3, and 1.14.6

Patched versions

1.18.0, 1.17.2, 1.16.3, 1.15.4, and 1.14.7

Description

Brief Description

Remotely exploitable crash in Envoy's HTTP2 Metadata, when an empty METADATA map is sent.

Impact

Denial of service.

Mitigation

Do not enable HTTP2 Metadata frame support.

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25303

Attack vector(s)

A remote attacker can send an HTTP2 request with a METADATA frame containing empty METADATA map causing a Envoy to crash.

Severity

High

CVE ID

CVE-2021-29258

Weaknesses

Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Learn more on MITRE.