Skip to content

Incorrect handling of H2 GOAWAY + SETTINGS frames

High
travisgroth published GHSA-gjcg-vrxg-xmgv Sep 9, 2021

Package

gomod pomerium (Go)

Affected versions

0.15.0

Patched versions

0.15.1

Description

Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event.

Impact

This can lead to a DoS in the presence of untrusted upstream servers.

Patches

0.15.1 contains an upgraded envoy binary with this vulnerability patched.

Workarounds

If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

References

envoy GSA
envoy CVE
envoy announcement

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-39162

Weaknesses