CVE-2021-28683: 
NixOS vulnerability analysis and mitigation

A NULL pointer dereference vulnerability (CVE-2021-28683) was discovered in Envoy through version 1.71.1. The vulnerability occurs when an unknown TLS alert code is received during a TLS connection, causing Envoy to crash when attempting to get a textual description of the alert code. This issue specifically affects versions using C++17, as it relates to the handling of nullptr in std::string_view constructor (GitHub Advisory).

The vulnerability is caused by a NULL pointer dereference that occurs during TLS alert code handling. When Envoy receives a TLS alert with an unknown code, it attempts to get a textual description of the alert code. Due to the transition to C++17 and the use of std::stringview instead of absl::stringview, the nullptr handling in the constructor leads to a crash. This issue does not affect versions 1.15 and earlier, as they used Abseil's version of string_view which handled nullptr differently. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is Denial of Service (DoS). When successfully exploited, it causes Envoy to crash, disrupting the service availability. The vulnerability can be triggered remotely, making it particularly concerning for systems exposed to untrusted network traffic (GitHub Advisory).

The vulnerability has been patched in versions 1.18.0, 1.17.2, and 1.16.3. Users are advised to upgrade to these or later versions to address the security issue. No temporary workarounds were provided for this vulnerability (GitHub Advisory).