ISTIO-SECURITY-2024-002

CVEs reported by Envoy and Go.

Apr 8, 2024

Disclosure Details
CVE(s)	CVE-2024-27919 CVE-2024-30255 CVE-2023-45288
CVSS Impact Score	7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases	All releases prior to 1.19.0 1.19.0 to 1.19.8 1.20.0 to 1.20.4 1.21.0

CVE

Envoy CVEs

CVE-2024-27919: (CVSS Score 7.5, High): HTTP/2: memory exhaustion due to CONTINUATION frame flood.
CVE-2024-30255: (CVSS Score 5.3, Moderate): HTTP/2: CPU exhaustion due to CONTINUATION frame flood.

Go CVEs

NOTE: At the time of publishing, the CVE was not yet scored or vectored.

CVE-2023-45288: (CVSS Score Unpublished): HTTP/2 CONTINUATION frames can be utilized for DoS attacks.

Am I Impacted?

You are impacted if you accept HTTP/2 traffic from untrusted sources, which applies to most users. This especially applies if you use a Gateway exposed on the public internet.