Name of the Vulnerable Software and Affected Versions Envoy and Go HTTP/2 protocol stack (affected versions not specified)

Description The issue concerns a vulnerability to the "Rapid Reset" class of exploits. This can be triggered by sending a sequence of HEADERS frames optionally followed by RST STREAM frames, particularly when receiving untrusted HTTP/2 traffic through the builtin gateway.

Recommendations Disable HTTP/2 on the gateway listener with a MeshProxyPatch or ProxyTemplate as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.