CVE-2023-35945

13.07.2023, 21:15

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 32%

Affected Products (NVD)

Vendor	Product	Version
envoyproxy	envoy	𝑥 < 1.23.11
envoyproxy	envoy	1.24.0 ≤ 𝑥 < 1.24.9
envoyproxy	envoy	1.25.0 ≤ 𝑥 < 1.25.8
envoyproxy	envoy	1.26.0 ≤ 𝑥 < 1.26.3
nghttp2	nghttp2	𝑥 < 1.55.1

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

libnghttp2-14

suse enterprise desktop 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise desktop 15 SP7	1.64.0-150700.1.5 fixed
suse enterprise sap 12 SP5	1.39.2-3.10.1 fixed
suse enterprise sap 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP7	1.64.0-150700.1.5 fixed
suse enterprise server 12 SP5	1.39.2-3.10.1 fixed
suse enterprise server 15 SP1	1.40.0-150000.3.14.1 fixed
suse enterprise server 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP7	1.64.0-150700.1.5 fixed

libnghttp2-14-32bit

suse enterprise desktop 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise desktop 15 SP7	1.64.0-150700.1.5 fixed
suse enterprise sap 12 SP5	1.39.2-3.10.1 fixed
suse enterprise sap 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP7	1.64.0-150700.1.5 fixed
suse enterprise server 12 SP5	1.39.2-3.10.1 fixed
suse enterprise server 15 SP1	1.40.0-150000.3.14.1 fixed
suse enterprise server 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP7	1.64.0-150700.1.5 fixed

libnghttp2-devel

suse enterprise desktop 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise desktop 15 SP7	1.64.0-150700.1.5 fixed
suse enterprise sap 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP7	1.64.0-150700.1.5 fixed
suse enterprise server 15 SP1	1.40.0-150000.3.14.1 fixed
suse enterprise server 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP7	1.64.0-150700.1.5 fixed

libnghttp2_asio-devel

suse enterprise desktop 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise desktop 15 SP7	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP7	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP1	1.40.0-150000.3.14.1 fixed
suse enterprise server 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP7	1.40.0-150600.23.2 fixed

libnghttp2_asio1

suse enterprise desktop 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise desktop 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise desktop 15 SP7	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise sap 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise sap 15 SP7	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP1	1.40.0-150000.3.14.1 fixed
suse enterprise server 15 SP2	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP3	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP4	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP5	1.40.0-150200.9.1 fixed
suse enterprise server 15 SP6	1.40.0-150600.23.2 fixed
suse enterprise server 15 SP7	1.40.0-150600.23.2 fixed

Common Weakness Enumeration

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346

https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

https://github.com/nghttp2/nghttp2/blob/e7f59406556c80904b81b593d38508591bb7523a/lib/nghttp2_session.c#L3346