Vulnerabilities > CVE-2021-32778 - Excessive Iteration vulnerability in Envoyproxy Envoy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

envoyproxy

CWE-834

NVD

Published: 2021-08-24

Updated: 2022-06-15

Summary

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100.

Vulnerable Configurations

Part	Description	Count
Application	Envoyproxy Envoyproxy Envoy 1.19.0 Envoyproxy Envoy 1.16.0 Envoyproxy Envoy 1.16.1 Envoyproxy Envoy 1.16.2 Envoyproxy Envoy 1.16.3 Envoyproxy Envoy 1.16.4 Envoyproxy Envoy 1.17.0 Envoyproxy Envoy 1.17.1 Envoyproxy Envoy 1.17.2 Envoyproxy Envoy 1.17.3 Envoyproxy Envoy 1.18.0 Envoyproxy Envoy 1.18.1 Envoyproxy Envoy 1.18.2 Envoyproxy Envoy 1.18.3	14

Common Weakness Enumeration (CWE)

CWE-834 - Excessive Iteration

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References