CVE-2020-12604: 
NixOS vulnerability analysis and mitigation

Envoy versions 1.14.2, 1.13.2, 1.12.4 and earlier contain a vulnerability related to HTTP/2 stream flow control that could lead to resource exhaustion. The vulnerability was discovered through collaboration between Bartosz Borkowski, who initially reported an OOM issue, and Matt Klein who identified the root cause (GitHub Advisory).

The vulnerability stems from Envoy's implementation of HTTP/2 stream flow control, configured by initial_stream_window_size setting for both downstream HTTP listeners and upstream HTTP clusters. The issue occurs when an untrusted client opens streams up to the max_concurrent_streams limit and requests a large resource. If the downstream client doesn't open receive window, Envoy buffers the final stream data without releasing it, leading to potential memory exhaustion. The vulnerability's impact is bounded by both max_concurrent_streams and initial_stream_window_size settings (GitHub Advisory).

A malicious client with knowledge of backend configuration could craft sequences of connections and streams causing Envoy to consume and never release substantial memory. By strategically using max_concurrent_streams - 1 streams per connection and maintaining normal periodic requests on the final stream, attackers could prevent the connection idle timer from triggering, leading to sustained resource consumption (GitHub Advisory).

The issue has been patched in versions 1.14.3, 1.13.3, and 1.12.5. The fix implements stream_idle_timeout to handle final data flush when data is buffered pending available downstream window. If downstream window isn't opened, Envoy will reset the stream and release buffered data when the idle timeout triggers (GitHub Advisory).