CVE-2021-39162

Name of the Vulnerable Software and Affected Versions Pomerium versions prior to 0.15.1

Description Pomerium, an open source identity-aware access proxy based on Envoy, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a Denial of Service (DoS) in the presence of untrusted upstream servers. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered.

Recommendations For versions prior to 0.15.1, update to version 0.15.1, which contains an upgraded Envoy binary with this issue patched. If only trusted upstreams are configured, there is not substantial risk of this condition being triggered, but it is still recommended to update to version 0.15.1 for maximum security.