cbcvebase.
CVE-2019-15226
published 2019-10-09

CVE-2019-15226: Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a…

PriorityP359high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
65.39%
99.2th percentile
Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.

Affected

16 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP requests with many thousands of small headers that stay below the maximum request header size limit — characteristic of the O(n^2) CPU exhaustion attack against Envoy
  • Affected Envoy versions for HTTP/1.x are 1.10.0 through 1.11.1; all versions of Envoy for HTTP/2 traffic are affected — scope detection/patching accordingly
  • Monitor Envoy processes for abnormal CPU spikes correlated with incoming HTTP requests containing high header counts — indicative of this DoS exploitation pattern
  • ·The vulnerability affects Envoy deployed as part of OpenShift Service Mesh 1 — ensure service mesh sidecar proxies are included in patching scope
  • ·The upstream fix is tracked in a specific commit; verify Envoy deployments have been updated past the vulnerable versions (1.10.0–1.11.1 for HTTP/1.x; all versions for HTTP/2)

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.