CVE-2021-32778 Excessive CPU utilization when closing HTTP/2 streams

2021-08-2420:30:11

CWE-834

GitHub_M

www.cve.org

cve-2021-32778

envoy

http/2 streams

denial of service

time complexity

fix

workaround

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

45.6%

JSON

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100.

CNA Affected

[
  {
    "product": "envoy",
    "vendor": "envoyproxy",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.19.0, < 1.19.1"
      },
      {
        "status": "affected",
        "version": ">= 1.18.0, < 1.18.4"
      },
      {
        "status": "affected",
        "version": ">= 1.17.0, < 1.17.4"
      },
      {
        "status": "affected",
        "version": ">= 1.16.0, < 1.16.5"
      }
    ]
  }
]