CVE-2020-8661: 
NixOS vulnerability analysis and mitigation

CNCF Envoy through version 1.13.0 contains a vulnerability where the system may consume excessive amounts of memory when responding internally to pipelined requests. The vulnerability was discovered by Alyssa Wilk from Google LLC and was assigned CVE-2020-8661. The issue affects the HTTP/1 codec component of Envoy (GitHub Advisory).

The vulnerability occurs when Envoy sends internally generated 400 error responses to illegally formed requests, which are sent to the Network::Connection buffer. If a client reads these responses slowly, it can lead to accumulation of a large number of responses and unlimited memory consumption. This issue bypasses Envoy's overload manager, which itself sends internally generated responses when approaching configured memory thresholds, thereby exacerbating the problem. The vulnerability has been assigned a CVSS v3 Score of 7.5, indicating a Moderate impact (Red Hat CVE).

The primary impact of this vulnerability is potential denial-of-service and excessive resource consumption, particularly memory. When exploited, it can lead to functionally unlimited memory consumption in the affected system, potentially causing service disruption (GitHub Advisory).

The vulnerability has been patched in Envoy versions 1.13.1 and 1.12.3. Users are advised to upgrade to these or later versions to address the issue. The fix includes implementation of HTTP/1.1 flood protection, which can be temporarily disabled using the runtime feature envoy.reloadable_features.http1_flood_protection (Envoy Docs).