Lucene search

Redhat.comRH:CVE-2019-18836

HistoryNov 11, 2019 - 9:22 a.m.

CVE-2019-18836

2019-11-1109:22:44

redhat.com

access.redhat.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.009 Low

EPSS

Percentile

82.0%

JSON

A flaw was found in envoy. When listeners are configured with continue_on_listener_filters_timeout true, an infinite busy loop is created if at least one connection is maintained on the loop. A remote attacker only needs to maintain one idle connection to consume one CPU core of the Envoy server, potentially leading to a denial of service attack. The highest threat from this vulnerability is to system availability.

References

bugzilla.redhat.com/show_bug.cgi?id=1770713

github.com/envoyproxy/envoy/security/advisories/GHSA-3xvf-4396-cj46

nvd.nist.gov/vuln/detail/CVE-2019-18836

www.cve.org/CVERecord?id=CVE-2019-18836

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.009 Low

EPSS

Percentile

82.0%

JSON

Related for RH:CVE-2019-18836