Bug 1996946 (CVE-2021-32778)

Summary: CVE-2021-32778 envoyproxy/envoy: excessive CPU usage when handling a large number of HTTP/2 requests
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jwendell, rcernich, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: envoyproxy/envoy 1.19.1, envoyproxy/envoy 1.18.4, envoyproxy/envoy 1.17.4, envoyrproxy/envoy 1.16.5 Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption vulnerability was found in envoyproxy/envoy. When envoy handles a large number of HTTP/2 requests which open and then reset the connection, it can cause excessive CPU usage. This flaw allows an attacker to cause a denial of service on the proxy. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1996910    

Description Mark Cooper 2021-08-24 04:26:09 UTC
Envoy proxy through 1.19.1 contains an excessive resources consumption vulnerability. When handling a large number of HTTP/2 requests during the opening and resetting of requests, this causes excessive CPU usage potentially resulting in a denial of service.