CVE-2023-35945: Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec
First published: Tue Jun 27 2023(Updated: )
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/envoy | <1.26.3 | 1.26.3 |
| redhat/envoy | <1.25.8 | 1.25.8 |
| redhat/envoy | <1.24.9 | 1.24.9 |
| redhat/envoy | <1.23.11 | 1.23.11 |
| Envoyproxy Envoy | <1.23.11 | |
| Envoyproxy Envoy | >=1.24.0<1.24.9 | |
| Envoyproxy Envoy | >=1.25.0<1.25.8 | |
| Envoyproxy Envoy | >=1.26.0<1.26.3 | |
| Nghttp2 Nghttp2 | <1.55.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
- https://access.redhat.com/errata/RHSA-2023:4624
- https://access.redhat.com/security/cve/cve-2023-35945
- https://access.redhat.com/errata/RHSA-2023:5175
- https://bugzilla.redhat.com/show_bug.cgi?id=2217983
Frequently Asked Questions
What is CVE-2023-35945?
CVE-2023-35945 is a vulnerability in Envoy's HTTP/2 codec that may leak a header map and bookkeeping structures.
What is the severity of CVE-2023-35945?
CVE-2023-35945 has a severity rating of 7.5 (High).
How does CVE-2023-35945 affect Envoy?
CVE-2023-35945 affects Envoy versions up to and including 1.26.3.
How can I fix CVE-2023-35945?
To fix CVE-2023-35945, upgrade to Envoy version 1.26.3 or apply the appropriate patch provided by Red Hat.
Where can I find more information about CVE-2023-35945?
You can find more information about CVE-2023-35945 in the references provided: [Ref 1](https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346), [Ref 2](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r), [Ref 3](https://access.redhat.com/errata/RHSA-2023:4624)
- collector/nvd-latest
- collector/nvd-index
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-35945
- agent/software-canonical-lookup
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/event
- vendor/envoyproxy
- canonical/envoyproxy envoy
- version/envoyproxy envoy/1.24.0
- version/envoyproxy envoy/1.25.0
- version/envoyproxy envoy/1.26.0
- package-manager/redhat
- vendor/nghttp2
- canonical/nghttp2 nghttp2