CVE-2021-32780

Опубликовано: 24 авг. 2021

Источник: nvd

CVSS3: 8.6

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted upstream servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.

Ссылки

https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
Third Party Advisory
https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history
Vendor Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-j374-mjrw-vvp8
Third Party Advisory
https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*

Версия от 1.18.0 (включая) до 1.18.4 (исключая)

cpe:2.3:a:envoyproxy:envoy:1.19.0:*:*:*:*:*:*:*

EPSS

Процентиль: 24%

0.00077

Низкий

8.6 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-754

Связанные уязвимости

CVE-2021-32780

CVSS3: 7.5

redhat

почти 4 года назад

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions Envoy transitions a H/2 connection to the CLOSED state when it receives a GOAWAY frame without any streams outstanding. The connection state is transitioned to DRAINING when it receives a SETTING frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Receiving these two frames in the same I/O event results in abnormal termination of the Envoy process due to invalid state transition from CLOSED to DRAINING. A sequence of H/2 frames delivered by an untrusted upstream server will result in Denial of Service in the presence of untrusted **upstream** servers. Envoy versions 1.19.1, 1.18.4 contain fixes to stop processing of pending H/2 frames after connection transition to the CLOSED state.

CVE-2021-32780

CVSS3: 8.6

debian

почти 4 года назад

Envoy is an open source L7 proxy and communication bus designed for la ...

ELSA-2021-9525

oracle-oval

больше 3 лет назад

ELSA-2021-9525: olcne security update (IMPORTANT)

ELSA-2021-9546

oracle-oval

больше 3 лет назад

ELSA-2021-9546: olcne istio istio kubernetes security update (IMPORTANT)

ELSA-2021-9526

oracle-oval

больше 3 лет назад

ELSA-2021-9526: olcne security update (IMPORTANT)

EPSS

Процентиль: 24%

0.00077

Низкий

8.6 High

CVSS3

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-754