Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams…
GitHub_M·CWE-834·Published 2021-09-09
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched.
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS condition. Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched.
Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. ### Impact This can result in a DoS condition. ### Patches Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched. ### Workarounds N/A ### References [envoy GSA](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc) [envoy CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32778) [envoy announcement](https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ) ### For more information If you have any questions or comments about this advisory: * Open an issue in [pomerium/pomerium](https://github.com/pomerium/pomerium/issues) * Email us at [security@pomerium.com](mailto:security@pomerium.com)
Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. ### Impact This can result in a DoS condition. ### Patches Pomerium versions 0.14.8 and 0.15.1 contain an upgraded envoy binary with this vulnerability patched. ### Workarounds N/A ### References [envoy GSA](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc) [envoy CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32778) [envoy announcement](https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ) ### For more information If you have any questions or comments about this advisory: * Open an issue in [pomerium/pomerium](https://github.com/pomerium/pomerium/issues) * Email us at [security@pomerium.com](mailto:security@pomerium.com)
Pomerium es un proxy de acceso de código abierto consciente de la identidad. Envoy, en el que es basado Pomerium, maneja inapropiadamente el restablecimiento de los flujos HTTP/2 con una complejidad excesiva. Esto puede conllevar a un alto uso de la CPU cuando es restablecido un gran número de flujos. Esto puede resultar en una condición de DoS. Las versiones 0.14.8 y 0.15.1 de Pomerium contienen un binario envoy actualizado con esta vulnerabilidad parcheada
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |