CVE-2021-39162: Improper Check for Unusual or Exceptional Conditions

September 10, 2021 (updated September 13, 2021)

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary with this vulnerability patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

References

github.com/advisories/GHSA-gjcg-vrxg-xmgv
github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
github.com/pomerium/pomerium/security/advisories/GHSA-gjcg-vrxg-xmgv
nvd.nist.gov/vuln/detail/CVE-2021-39162

Code Behaviors & Features

Detect and mitigate CVE-2021-39162 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →