Piotr Sikora

**Name of the Vulnerable Software and Affected Versions** Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier **Description** The issue may cause Envoy to exhaust file descriptors and/or memory when accepting too many connections. **Recommendations** For Envoy versions 1.14.2, 1.13.2, 1.12.4 or earlier, update to a version that contains a fix for this issue to prevent file descriptor and memory exhaustion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HTTP/2 implementations (affected versions not specified) **Description** The issue is related to a flood of empty frames in HTTP/2 implementations, which can lead to a denial of service. An attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be `DATA`, `HEADERS`, `CONTINUATION`, and/or `PUSH PROMISE`. The peer spends time processing each frame disproportionate to attack bandwidth, consuming excess CPU. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.