CVE-2021-32778

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.16.5 Envoy versions prior to 1.17.4 Envoy versions prior to 1.18.4 Envoy versions prior to 1.19.1

Description The procedure for resetting an HTTP/2 stream in Envoy has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. This makes deployments susceptible to Denial of Service when Envoy is configured with a high limit on HTTP/2 concurrent streams. An attacker would need to open and close a large number of HTTP/2 streams to exploit this issue.

Recommendations For versions prior to 1.16.5, update to version 1.16.5 or later to reduce the time complexity of resetting HTTP/2 streams. For versions prior to 1.17.4, update to version 1.17.4 or later to reduce the time complexity of resetting HTTP/2 streams. For versions prior to 1.18.4, update to version 1.18.4 or later to reduce the time complexity of resetting HTTP/2 streams. For versions prior to 1.19.1, update to version 1.19.1 or later to reduce the time complexity of resetting HTTP/2 streams. As a temporary workaround, consider limiting the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number, such as 100.