CVE-2021-32778
Summary
| CVE | CVE-2021-32778 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-08-24 21:15:00 UTC |
|---|
| Updated | 2022-06-15 15:49:00 UTC |
|---|
| Description | Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Excessive CPU utilization when closing HTTP/2 streams · Advisory · envoyproxy/envoy · GitHub |
CONFIRM |
github.com |
|
| Version history — envoy tag-v1.19.0 documentation |
MISC |
www.envoyproxy.io |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159555 Oracle Enterprise Linux Security Update for olcne (ELSA-2021-9525)
- 159558 Oracle Enterprise Linux Security Update for olcne istio istio kubernetes (ELSA-2021-9546)
