CVE-2023-35945 Overview
CVE-2023-35945 is a memory leak vulnerability in Envoy's HTTP/2 codec that can lead to denial of service through memory exhaustion. The vulnerability occurs when Envoy receives an RST_STREAM frame immediately followed by a GOAWAY frame from an upstream server. This specific frame sequence triggers a flaw in the nghttp2 library's cleanup logic, causing header maps and bookkeeping structures to leak without proper deallocation.
Critical Impact
Attackers can exploit this vulnerability to cause denial of service through memory exhaustion by sending specially crafted HTTP/2 frame sequences to Envoy proxy instances.
Affected Products
- Envoyproxy Envoy versions prior to 1.26.3
- Envoyproxy Envoy versions prior to 1.25.8, 1.24.9, and 1.23.11
- nghttp2 library (underlying HTTP/2 implementation)
Discovery Timeline
- 2023-07-13 - CVE-2023-35945 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-35945
Vulnerability Analysis
This vulnerability resides in the nghttp2 library, which serves as Envoy's HTTP/2 codec implementation. The flaw manifests during the cleanup process for pending requests when the proxy receives a GOAWAY frame from an upstream server. The issue specifically affects how bookkeeping structures and compressed headers are deallocated under certain error conditions.
When a connection is already marked for not sending more requests due to a previously received GOAWAY frame, the error return code path is taken in the cleanup routine. However, the deallocation code for the bookkeeping structure and pending compressed header exists immediately after the return statement, causing these structures to remain allocated in memory indefinitely.
Root Cause
The root cause lies in the nghttp2 session handling code where the cleanup logic for pending requests upon GOAWAY frame receipt incorrectly skips deallocation. In the nghttp2_session.c file, when the error return path is executed due to the connection being marked as not accepting new requests, the code returns before reaching the cleanup statements. This creates a memory leak where the header map and associated bookkeeping structures remain allocated but unreachable, gradually consuming available memory.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Establishing an HTTP/2 connection with an Envoy proxy
- Initiating requests that are forwarded to an upstream server
- Manipulating the upstream server (or a malicious upstream) to send RST_STREAM frames immediately followed by GOAWAY frames
- Repeating this pattern to continuously leak memory on the Envoy proxy
The vulnerability is particularly dangerous in service mesh environments where Envoy handles high volumes of HTTP/2 traffic, as memory exhaustion can be achieved more rapidly through sustained exploitation.
The vulnerability manifests in the nghttp2 session cleanup code path. For technical implementation details, refer to the nghttp2 source code and the Envoy Security Advisory.
Detection Methods for CVE-2023-35945
Indicators of Compromise
- Gradual increase in memory consumption on Envoy proxy instances without corresponding traffic increases
- Unusual patterns of RST_STREAM followed by GOAWAY frames in HTTP/2 connection logs
- Envoy proxy service restarts or crashes due to out-of-memory conditions
- Memory allocation failures in nghttp2 codec-related components
Detection Strategies
- Monitor Envoy memory usage metrics for abnormal growth patterns over time
- Implement alerting on memory threshold breaches for Envoy proxy processes
- Analyze HTTP/2 frame logs for suspicious RST_STREAM and GOAWAY frame sequences
- Deploy application performance monitoring to track memory allocation trends in proxy infrastructure
Monitoring Recommendations
- Configure memory usage alerts at 70%, 85%, and 95% thresholds for Envoy processes
- Enable detailed HTTP/2 frame logging during investigation periods
- Implement automated remediation to restart affected instances when memory exceeds critical thresholds
- Correlate memory growth with upstream server connection patterns to identify potential attack sources
How to Mitigate CVE-2023-35945
Immediate Actions Required
- Upgrade Envoy to patched versions: 1.26.3, 1.25.8, 1.24.9, or 1.23.11 immediately
- Review upstream server configurations and ensure trusted upstream connections
- Implement memory limits for Envoy proxy containers to prevent full host memory exhaustion
- Enable automated instance recycling as a temporary measure until patching is complete
Patch Information
Envoyproxy has released security patches addressing this vulnerability across multiple supported versions. The fixed versions are 1.26.3, 1.25.8, 1.24.9, and 1.23.11. Organizations should upgrade to the appropriate patched version based on their current deployment. Detailed patch information is available in the Envoy Security Advisory GHSA-jfxv-29pc-x22r.
Workarounds
- Implement rate limiting on upstream connections to reduce the attack surface
- Deploy memory resource limits using container orchestration platforms like Kubernetes
- Configure automated health checks to restart Envoy instances exhibiting memory growth anomalies
- Consider temporary HTTP/1.1 fallback for untrusted upstream connections until patching is complete
# Example Kubernetes resource limits for Envoy containers
# Add to your Envoy deployment specification
resources:
limits:
memory: "512Mi"
requests:
memory: "256Mi"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
