{
  "threat_severity" : "Moderate",
  "public_date" : "2024-04-03T00:00:00Z",
  "bugzilla" : {
    "description" : "envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood",
    "id" : "2272986",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2272986"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-390",
  "details" : [ "Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.", "A vulnerability was found in how Envoy Proxy implements the HTTP/2 codec. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute resources to cause a Denial of Service." ],
  "statement" : "Red Hat rates the security impact of this vulnerability as Moderate, in alignment with upstream Envoy. The worst case scenario is excessive CPU utilization causing a denial of service. Once an attack has ended, the system should return to normal operations on its own.",
  "acknowledgement" : "Red Hat would like to thank Bartek Nowotarski (nowotarski.info) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.7",
    "release_date" : "2024-07-11T00:00:00Z",
    "advisory" : "RHSA-2024:4520",
    "cpe" : "cpe:/a:redhat:rhmt:1.7::el8",
    "package" : "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8:v1.7.16-6"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/grafana-rhel8:2.5.5-3"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/istio-cni-rhel8:2.5.5-4"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/istio-must-gather-rhel8:2.5.5-4"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/kiali-ossmc-rhel8:1.73.14-3"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/kiali-rhel8:1.73.15-3"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/pilot-rhel8:2.5.5-4"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/proxyv2-rhel8:2.5.5-6"
  }, {
    "product_name" : "Red Hat OpenShift Service Mesh 2.5 for RHEL 8",
    "release_date" : "2024-10-07T00:00:00Z",
    "advisory" : "RHSA-2024:7725",
    "cpe" : "cpe:/a:redhat:service_mesh:2.5::el8",
    "package" : "openshift-service-mesh/ratelimit-rhel8:2.5.5-3"
  } ],
  "package_state" : [ {
    "product_name" : "Custom Metric Autoscaler operator for Red Hat Openshift",
    "fix_state" : "Will not fix",
    "package_name" : "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/logging-loki-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logical Volume Manager Storage",
    "fix_state" : "Affected",
    "package_name" : "lvms4/topolvm-rhel9",
    "cpe" : "cpe:/a:redhat:lvms:4"
  }, {
    "product_name" : "Migration Toolkit for Applications 6",
    "fix_state" : "Will not fix",
    "package_name" : "mta/mta-hub-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6"
  }, {
    "product_name" : "OpenShift API for Data Protection",
    "fix_state" : "Not affected",
    "package_name" : "oadp/oadp-velero-plugin-for-gcp-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1"
  }, {
    "product_name" : "OpenShift API for Data Protection",
    "fix_state" : "Not affected",
    "package_name" : "oadp/oadp-velero-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/eventing-mtping-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/acm-grafana-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/management-ingress-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Affected",
    "package_name" : "rhceph/rhceph-5-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Ceph Storage 6",
    "fix_state" : "Will not fix",
    "package_name" : "rhceph/rhceph-6-dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:ceph_storage:6"
  }, {
    "product_name" : "Red Hat Ceph Storage 7",
    "fix_state" : "Affected",
    "package_name" : "rhceph/grafana-rhel9",
    "cpe" : "cpe:/a:redhat:ceph_storage:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-contour-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-prometheus",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-selinuxd-container",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Will not fix",
    "package_name" : "ocs4/cephcsi-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odf-topolvm-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhods/odh-ml-pipelines-cache-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhods/odh-operator-base-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Will not fix",
    "package_name" : "devspaces/devspaces-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 2",
    "fix_state" : "Will not fix",
    "package_name" : "rhosdt/tempo-gateway-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Will not fix",
    "package_name" : "rhosdt/opentelemetry-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat Openshift Sandboxed Containers",
    "fix_state" : "Affected",
    "package_name" : "openshift-sandboxed-containers/osc-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_sandboxed_containers:1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "osp-director-provisioner-container",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-30255\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30255\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm\nhttps://nowotarski.info/http2-continuation-flood/\nhttps://www.kb.cert.org/vuls/id/421644" ],
  "name" : "CVE-2024-30255",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}