CVE-2021-32778Excessive Iteration in Envoy

CWE-834Excessive IterationCWE-400Uncontrolled Resource Consumption4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 81.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Pomerium PomeriumEnvoyproxy Envoy
Timeline
PublishedAug 24
Latest updateSep 10

Description

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large num

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDenvoyproxy/envoy1.16.01.16.5+3
CVEListV5envoyproxy/envoy4 versions+3
Gogithub.com/pomerium_pomerium0.15.00.15.1+1

🔴Vulnerability Details

2
GHSA
Excessive CPU usage2021-09-10
OSV
Excessive CPU usage2021-09-10

📋Vendor Advisories

1
Red Hat
envoyproxy/envoy: excessive CPU usage when handling a large number of HTTP/2 requests2021-08-24
CVE-2021-32778 — Excessive Iteration in Envoy | cvebase