Security releases of Envoy 1.12.4, 1.13.2 and 1.14.2 are now available

[Piotr Sikora]

Hello Envoy Community,

 

The Envoy security team would like to announce the availability of Envoy 1.12.4, 1.13.2 and 1.14.2.

 

This release addresses the following CVE(s):

• CVE-2020-11080 (HIGH severity; CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Excessive CPU usage when processing HTTP/2 SETTINGS frames with too many parameters, potentially leading to a denial of service.

Upgrading to 1.12.4, 1.13.2 or 1.14.2 release is encouraged to fix this issue.

 

Am I vulnerable?

 

Run `envoy --version` and if it indicates a base version of 1.12.3, 1.13.1, 1.14.1 or older then you are running a vulnerable version.

 

Users using Envoy as a HTTP/2 proxy communicating directly with untrusted peers are vulnerable. Deployments communicating only with trusted HTTP/2 peers (e.g. hosted behind Cloud HTTP load balancers) are not vulnerable, but we still recommend updating them.

 

Users using Envoy as a TCP proxy and/or HTTP/1.1 proxy are not affected.

 

How do I mitigate the vulnerability?

 

The vulnerable versions can mitigate those vulnerabilities by disabling HTTP/2 and allowing only HTTP/1.1 by setting http_connection_manager.codec_type to “HTTP1” and removing “h2” from common_tls_context.alpn_protocols.

 

Please note that while virtually all HTTP clients can use HTTP/1.1 and HTTP/2 interchangeably, proxying gRPC requires HTTP/2 and it won’t work when HTTP/2 is disabled.

 

How do I upgrade?

 

Update to 1.12.4, 1.13.2 or 1.14.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.12.4, v1.13.2 or v1.14.2 tag or 8b6ea4eaf95c7fa4822a35b25e6984fb2a718b49 @ master.

 

Have questions?

 

Please reach out to us on #envoy-cve at https://envoyproxy.slack.com if you have any further questions.

 

Thanks,

Piotr Sikora (on behalf of the Envoy security team)