Excessive Iteration Affecting kubectl package, versions <0:1.20.11-4.el8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ORACLE8-KUBECTL-2600457
- published 10 Apr 2022
- disclosed 24 Aug 2021
Introduced: 24 Aug 2021
CVE-2021-32778 Open this link in a new tabHow to fix?
Upgrade Oracle:8 kubectl to version 0:1.20.11-4.el8 or higher.
This issue was patched in ELSA-2021-9546.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kubectl package and not the kubectl package as distributed by Oracle.
See How to fix? for Oracle:8 relevant fixed versions and status.
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoy’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100.
References
- https://linux.oracle.com/cve/CVE-2021-32778.html
- https://linux.oracle.com/errata/ELSA-2021-9525.html
- https://linux.oracle.com/errata/ELSA-2021-9546.html
- https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-3xh3-33v5-chcc