Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1namNnLXZyeGcteG1nds0VsA
Incorrect handling of H2 GOAWAY + SETTINGS frames
Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event.
Impact
This can lead to a DoS in the presence of untrusted upstream servers.
Patches
0.15.1 contains an upgraded envoy binary with this vulnerability patched.
Workarounds
If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.
References
envoy GSA
envoy CVE
envoy announcement
For more information
If you have any questions or comments about this advisory:
- Open an issue in pomerium/pomerium
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1namNnLXZyeGcteG1nds0VsA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Percentage: 0.00195
EPSS Percentile: 0.57134
Identifiers: GHSA-gjcg-vrxg-xmgv, CVE-2021-39162
References:
- https://github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
- https://nvd.nist.gov/vuln/detail/CVE-2021-39162
- https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE/m/wD05NZBbAgAJ
- https://github.com/advisories/GHSA-gjcg-vrxg-xmgv
Blast Radius: 6.0
Affected Packages
go:github.com/pomerium/pomerium
Dependent packages: 5Dependent repositories: 5
Downloads:
Affected Version Ranges: < 0.15.1
Fixed in: 0.15.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.4, 0.9.5, 0.9.6, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.15.0
All unaffected versions: 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.23.0, 0.24.0, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.28.0