CVE-2021-39162
First published: Thu Sep 09 2021(Updated: )
Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted *upstream* servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Envoyproxy Envoy | <1.18.4 | |
| Envoyproxy Envoy | =1.19.0 | |
| Pomerium Pomerium | =0.15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-39162?
CVE-2021-39162 is a vulnerability in the Pomerium open source identity-aware access proxy, based on the Envoy proxy, that can lead to a denial-of-service (DoS) attack.
How does CVE-2021-39162 impact Envoy?
CVE-2021-39162 can cause an abnormal termination of Envoy if an H/2 GOAWAY and SETTINGS frame are received in the same IO event, leading to a DoS attack.
Is my version of Envoy affected by CVE-2021-39162?
Versions of Envoy up to and excluding 1.18.4 are affected by CVE-2021-39162.
Is my version of Pomerium affected by CVE-2021-39162?
Pomerium version 0.15.0 is affected by CVE-2021-39162.
How can I fix CVE-2021-39162?
To fix CVE-2021-39162, it is recommended to upgrade to a version of Envoy that is not affected or apply the necessary security patches.
- collector/nvd-index
- vendor/envoyproxy
- canonical/envoyproxy envoy
- version/envoyproxy envoy/1.19.0
- vendor/pomerium
- canonical/pomerium pomerium
- version/pomerium pomerium/0.15.0