Summary
When Lua directly returns an oversized response body exceeding the per_connection_buffer_limit_bytes (default 1MB), Envoy will crash directly.
Details
A Use-After-Free vulnerability exists in the Envoy proxy's Lua filter. The vulnerability is triggered when a Lua script, executing during the response phase, rewrites a response body to a size that exceeds the configured buffer watermark, resulting in a local reply. The direct local response headers will override the original response headers and result in all references of original response headers be dangling.
Mitigation
- We can increase
per_connection_buffer_limit_bytes to a large enough value to avoid it.
- For HTTP2, we can set the
initial_stream_window_size to a large enough value.
- Because this problem happens at response phase, we can also set the
per_request_buffer_limit_bytes or request_body_buffer_limit to a large enough value to avoid this problem.
- The fix will be released in the latest version.
Impact
DOS and crash
Summary
When Lua directly returns an oversized response body exceeding the
per_connection_buffer_limit_bytes(default 1MB), Envoy will crash directly.Details
A Use-After-Free vulnerability exists in the Envoy proxy's Lua filter. The vulnerability is triggered when a Lua script, executing during the response phase, rewrites a response body to a size that exceeds the configured buffer watermark, resulting in a local reply. The direct local response headers will override the original response headers and result in all references of original response headers be dangling.
Mitigation
per_connection_buffer_limit_bytesto a large enough value to avoid it.initial_stream_window_sizeto a large enough value.per_request_buffer_limit_bytesorrequest_body_buffer_limitto a large enough value to avoid this problem.Impact
DOS and crash