Skip to content

Excessive CPU utilization when closing HTTP/2 streams

High
lizan published GHSA-3xh3-33v5-chcc Aug 24, 2021

Package

No package listed

Affected versions

1.19.0, 1.18.3, 1.17.3, 1.16.4

Patched versions

1.19.1, 1.18.4, 1.17.4

Description

CVSS score 8.6 (High), Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset.

Impact

Denial of Service when Envoy is configured with high limit on HTTP/2 concurrent streams.

Attack vector

A client opening and closing a large number of HTTP/2 streams.

Patches

Envoy versions 1.19.1, 1.18.4, 1.17.4 contain fixes to reduce time complexity of resetting HTTP/2 streams.

IMPORTANT: Due to significant divergence in affected source code between Envoy versions 1.16 and 1.17 it is not feasible to backport the fix into the the 1.16 stable branch without increasing the risk of destabilizing it. As a result operators of Envoy version 1.16 are recommended to apply workaround listed below. See recommended edge settings for instructions about changing this setting.

Workarounds

Limit the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number, i.e. 10.

Credits

Nikolas Koutounidis koutounidis.nikolaos@gmail.com

References

https://blog.envoyproxy.io
https://github.com/envoyproxy/envoy/releases

For more information

If you have any questions or comments about this advisory:

Open an issue in Envoy repo
Email us at envoy-security

Severity

High

CVE ID

CVE-2021-32778

Weaknesses