openSUSE 15 Security Update : envoy-proxy (openSUSE-SU-2022:0065-1)

high Nessus Plugin ID 158575



The remote SUSE host is missing one or more security updates.


The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0065-1 advisory.

- Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with many small (i.e. 1 byte) data frames. (CVE-2020-12603)

- Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. (CVE-2020-12604)

- Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when processing HTTP/1.1 headers with long field names or requests with long URLs. (CVE-2020-12605)

- Envoy before 1.16.1 mishandles dropped and truncated datagrams, as demonstrated by a segmentation fault for a UDP packet size larger than 1500. (CVE-2020-35471)

- Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. (CVE-2020-8663)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Update the affected envoy-proxy and / or envoy-proxy-source packages.

See Also

Plugin Details

Severity: High

ID: 158575

File Name: openSUSE-2022-0065-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/3/2022

Updated: 11/6/2023

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

Risk Information


Risk Factor: Medium

Score: 4.4


Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2020-8663


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:envoy-proxy, p-cpe:/a:novell:opensuse:envoy-proxy-source, cpe:/o:novell:opensuse:15.3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/2/2022

Vulnerability Publication Date: 7/1/2020

Reference Information

CVE: CVE-2020-12603, CVE-2020-12604, CVE-2020-12605, CVE-2020-35471, CVE-2020-8663