CVE-2021-32778
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/08/2021
Last modified:
15/06/2022
Description
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.16.0 (including) | 1.16.5 (excluding) |
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.17.0 (including) | 1.17.4 (excluding) |
| cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:* | 1.18.0 (including) | 1.18.4 (excluding) |
| cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page