ISTIO-SECURITY-2024-002

{{< security_bulletin >}}

CVE

Envoy CVEs

• CVE-2024-27919: (CVSS Score 7.5, High): HTTP/2: memory exhaustion due to CONTINUATION frame flood.
• CVE-2024-30255: (CVSS Score 5.3, Moderate): HTTP/2: CPU exhaustion due to CONTINUATION frame flood.

Go CVEs

NOTE: At the time of publishing, the CVE was not yet scored or vectored.

• CVE-2023-45288: (CVSS Score Unpublished): HTTP/2 CONTINUATION frames can be utilized for DoS attacks.

Am I Impacted?

You are impacted if you accept HTTP/2 traffic from untrusted sources, which applies to most users. This especially applies if you use a Gateway exposed on the public internet.