Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 and after for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High)
Envoy 1.10.0 and after are affected for HTTP/1.x traffic. All Envoy versions for HTTP/2 traffic. Fix will be in 1.11.2.
HTTP/1.x codec, HTTP/2 codec, HeaderMap implementation
A request that consists of thousands of very small headers. For example, an HTTP/1.1 POST request containing thousands of very small headers.
Asra Ali, Google
Example exploit or proof-of-concept
X sends an HTTP/1.1 POST request with 10,000 tiny headers “x-0: ”, …, “x-10000: ” each second.
Both the HTTP/1.1 and HTTP/2 codec limit the maximum size of all request headers. To verify this limit, the
The issue was first noticed via a timeout in Envoy’s wire-level HTTP/1.1 fuzzer: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16325
In some situations, the maximum request header size can likely be smaller than the default limit of 60 KiB. This is configurable in the HTTP Connection Manager configuration. Lowering this limit can reduce the number of request headers, and possibly mitigate excessive CPU consumption.
Envoy’s exposes the loop duration and poll delay to monitor performance of the event loops on worker threads, so it is possible to examine these statistics to detect suspicious CPU resource consumption. Elevated worker thread dispatcher.loop_duration_us statistics will provide circumstantial evidence of an ongoing attack. These statistics can be enabled by setting enable_dispatcher_stats to true.