#VU78293 Memory leak in envoy


Published: 2023-07-16

Vulnerability identifier: #VU78293

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35945

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
envoy
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Cloud Native Computing Foundation

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when handling HTTP/2 requests within the nghttp2 codec. A remote attacker can send RST_STREAM immediately followed by the GOAWAY frames to the application and force memory leak.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

envoy: 1.23.0 - 1.26.2

External links
http://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346
http://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Dell EMC NetWorker vProxy update for third-party components
SUSE update for Updates Cilium
Multiple vulnerabilities in Dell Secure Connect Gateway
SUSE update for nghttp2
SUSE update for nghttp2
SUSE update for nghttp2
Multiple vulnerabilities in Red Hat OpenShift Service Mesh 2.2
Multiple vulnerabiltiies in Red Hat OpenShift Service Mesh Containers 2.3
openEuler update for nghttp2
Amazon Linux AMI update for nghttp2