GMS-2023-3438: github.com/kumahq/kuma affected by CVE-2023-44487

October 17, 2023

Impact

Envoy and Go HTTP/2 protocol stack is vulnerable to the “Rapid Reset” class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames.

This can be exercised if you use the builtin gateway and receive untrusted http2 traffic.

Workarounds Disable http2 on the gateway listener with a MeshProxyPatch or ProxyTemplate.

References

github.com/advisories/GHSA-9wmc-rg4h-28wv
github.com/kumahq/kuma/pull/8001
github.com/kumahq/kuma/pull/8023
github.com/kumahq/kuma/pull/8034
github.com/kumahq/kuma/security/advisories/GHSA-9wmc-rg4h-28wv

Code Behaviors & Features

Detect and mitigate GMS-2023-3438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →