Summary
Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.
PoC
If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.
Mitigation
- Disable websocket traffic
- Change the websocket response from backend to always return
101 Switch protocol based on RFC.
- Apply the patch and the ext_proc filter will not send the local reply that is generated by Envoy to the ext_proc server for processing.
- Apply the patch that the router will cancel the upstream requests when sending a local reply.
Impact
Denial of service
Reporter
Vasilios Syrakis
Fernando Cainelli
botengyao Remediation reviewer
yanjunxiang-google Remediation developer
phlax Coordinator
Summary
Envoy's ext_proc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy.
PoC
If both websocket and ext_proc are enabled, a failed handshake will trigger a local reply, thus ext_proc will crash.
Mitigation
101 Switch protocolbased on RFC.Impact
Denial of service
Reporter
Vasilios Syrakis
Fernando Cainelli