Brief description
Users of Envoy 1.11.1 and before may configure a route to match incoming path headers when using the libstdc++ regex implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption).
CVSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High)
Affected version(s)
Envoy 1.11.1 and before. Fix will be in 1.11.2
Affected component(s)
Router
Attack vector(s)
An HTTP request with a very large URI delivered by an untrusted client.
Discover(s)/Credits
Seikun Kambashi
Example exploit or proof-of-concept
An example of a crash with regex matching in a Route:
- A Route is configured to match incoming :path headers using a RouteMatch regex “/asdf/.*”
- A client constructs a 50 KiB string longString and sends an HTTP/1.1 GET request for a path “/asdf/{longString}” on the wire.
Details
Envoy’s HTTP router may be configured with regular expressions for routing incoming HTTP requests based on header values. Prior to version 1.11.2 envoy utilized recursive algorithm for matching regular expressions. As a result a HTTP request with sufficiently large header may consume large amount or run out of stack memory and cause abnormal process termination. Regular expressions with the ‘*’ or ‘+’ quantifiers are particularly vulnerable and may cause abnormal process termination when matching header values 16Kb or longer.
This problem is addressed in Envoy version 1.11.2 by replacing implementation of regular expression matching with a non-recursive version.
Mitigations
To mitigate CVE-2019-15225 in Envoy prior to v1.11.2, regular expression matching in request routing must be disabled and other types of matching used instead. Instead, use Envoy prefix/suffix regex matchers where possible. In Envoy v1.11.2 and later the “safe_regex” and “safe_regex_match” should be used for specifying regular expressions instead of “regex_match”.
Detection
Excessive memory consumption or frequent abnormal terminations of envoy process with segmentation fault. A stack trace with a large number of frames in the std::regex methods can provide a strong signal.
References
skambashi Analyst
CVE-2019-15225
Brief description
Users of Envoy 1.11.1 and before may configure a route to match incoming path headers when using the libstdc++ regex implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption).
CVSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High)
Affected version(s)
Envoy 1.11.1 and before. Fix will be in 1.11.2
Affected component(s)
Router
Attack vector(s)
An HTTP request with a very large URI delivered by an untrusted client.
Discover(s)/Credits
Seikun Kambashi
Example exploit or proof-of-concept
An example of a crash with regex matching in a Route:
Details
Envoy’s HTTP router may be configured with regular expressions for routing incoming HTTP requests based on header values. Prior to version 1.11.2 envoy utilized recursive algorithm for matching regular expressions. As a result a HTTP request with sufficiently large header may consume large amount or run out of stack memory and cause abnormal process termination. Regular expressions with the ‘*’ or ‘+’ quantifiers are particularly vulnerable and may cause abnormal process termination when matching header values 16Kb or longer.
This problem is addressed in Envoy version 1.11.2 by replacing implementation of regular expression matching with a non-recursive version.
Mitigations
To mitigate CVE-2019-15225 in Envoy prior to v1.11.2, regular expression matching in request routing must be disabled and other types of matching used instead. Instead, use Envoy prefix/suffix regex matchers where possible. In Envoy v1.11.2 and later the “safe_regex” and “safe_regex_match” should be used for specifying regular expressions instead of “regex_match”.
Detection
Excessive memory consumption or frequent abnormal terminations of envoy process with segmentation fault. A stack trace with a large number of frames in the std::regex methods can provide a strong signal.
References