CVE-2021-32778: 
NixOS vulnerability analysis and mitigation

Envoy, an open source L7 proxy and communication bus designed for large modern service oriented architectures, was found to contain a vulnerability (CVE-2021-32778) in its HTTP/2 stream handling. The issue was discovered in 2021 and affected versions prior to 1.19.1, 1.18.4, 1.17.4, and 1.16.5. The vulnerability stems from Envoy's procedure for resetting HTTP/2 streams having O(N^2) complexity (GitHub Advisory).

The vulnerability has a CVSS score of 8.6 (High) with a vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L. The technical issue involves the HTTP/2 stream reset procedure having quadratic time complexity (O(N^2)), which leads to excessive CPU utilization when handling a large number of stream resets. This vulnerability is classified under CWE-834 (GitHub Advisory).

The primary impact of this vulnerability is a potential Denial of Service (DoS) condition when Envoy is configured with high limits on HTTP/2 concurrent streams. The high CPU utilization resulting from the quadratic complexity can significantly degrade system performance (GitHub Advisory).

Fixed versions (1.19.1, 1.18.4, 1.17.4) contain patches that reduce the time complexity of resetting HTTP/2 streams. For version 1.16, due to significant code divergence, backporting the fix was deemed risky. As a workaround, users can limit the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number (approximately 100 or lower) (GitHub Advisory, Debian Tracker).