AMBASSADOR SECURITY UPDATE

Multiple HTTP/2 vulnerabilities in Envoy Proxy

Ambassador 0.75 addresses CVE-2019–9512, CVE-2019–9513, CVE-2019–9514, CVE-2019–9515, CVE-2019–9518

We’re releasing Ambassador 0.75 today, which addresses five vulnerabilities in Envoy Proxy, all related to HTTP/2. These five issues are rated as high severity, and address the class of HTTP/2 denial of service issues disclosed today by Netflix (see Netflix HTTP/2 Denial of Service Advisory). We recommend that all Ambassador users upgrade, especially users who rely on gRPC and/or HTTP/2. These security fixes are also included in Envoy 1.11.1, which is also being released today.

The full list of vulnerabilities addressed in this release are:

CVE-2019–9512 (CVSS score 7.5, HIGH): An attacker can send continual Pings to an HTTP/2 peer, causing the peer to build an internal queue of responses, resulting in excess CPU and/or memory consumption, potentially leading to a denial of service. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019–9513 (CVSS score 7.5, HIGH): An attacker can create multiple request streams and reshuffle the priority of the streams in a way that can consume excess CPU, potentially leading to a denial of service. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019–9514 (CVSS score 7.5, HIGH): An attacker can open a number of streams and send an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. This can consume excess memory, CPU, or both, potentially leading a denial of service. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

frames from the peer. This can consume excess memory, CPU, or both, potentially leading a denial of service. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019–9515 (CVSS score 7.5, HIGH): An attacker can send a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. This can consume excess CPU, memory, or both, potentially leading to a denial of service.CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. This can consume excess CPU, memory, or both, potentially leading to a denial of service.CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019–9518 (CVSS score 7.5, HIGH): An attacker can send a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Credit to Jonathan Looney of Netflix for discovering these vulnerabilities. Credit to Yan Avlasov and Piotr Sikora from the Envoy Proxy security team for their work on these issues.

Who’s affected?

If your site is using HTTP/2 and/or gRPC, we recommend you upgrade immediately. If your site currently does not use these protocols, you are not affected. We would still recommend upgrading as a matter of best practices, as HTTP/2 and gRPC are gaining rapid adoption.

Upgrading

Ambassador relies on Kubernetes deployments for updates. To update Ambassador, change your Kubernetes manifest to point to quay.io/datawire/ambassador:0.75.0 and run kubectl apply on the updated manifest. Kubernetes will apply a rolling update and update to 0.75.

Details about this release

0.75 updates our base Envoy image to Envoy Proxy 1.11.1 plus additional Ambassador-specific fixes that have not been merged upstream. Our previous base Envoy image was built on Envoy master as of June 12, 2019 (for comparison, Envoy 1.11 was released on July 11, 2019) on upstream commit 0243ded4b29be7c7d95316ca99eae2e3c517e1a4 . As a point of a reference, this commit hash was 458 commits after 1.10.0, and 1.11.0 was 589 commits after 1.11.0. In other words, Ambassador’s Envoy was closer to 1.11.0 than 1.10.0. With 0.75, we are doing a full rebase of our Envoy Proxy onto 1.11.1, plus the additional Ambassador-specific fixes.

This release also includes two other bug fixes:

TLSContext does not always require a secret (#1708)

does not always require a secret (#1708) Multiple host_rewrite values are supported for canary releases (#1159)

Get Involved

If you run into any problems with the update, please open an issue or join our Slack for some help. In addition, Ambassador Pro provides integrated authentication, rate limiting, commercial support, and more. If you’re interested, please contact us.

And, if Ambassador is working well for you, we’d love to hear about it. Drop us a line in the comments below, or @getambassadorio on Twitter.