#VU56107 Use-after-free in envoy - CVE-2021-32781
Published: August 26, 2021
Vulnerability identifier: #VU56107
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32781
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
envoy
envoy
Software vendor:
Cloud Native Computing Foundation
Cloud Native Computing Foundation
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error when processing HTTP requests and responses in Envoy. A remote attacker can send a specially crafted HTTP request or response to the application, trigger a use-after-free error and perform a denial of service attack.
Successful exploitation of the vulnerability requires presence of extension that can modify and increase the size of request or response bodies.
Remediation
Install updates from vendor's website.