Описание
Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. This issue has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
A flaw was found in Envoy. JWT filter will lead to a crash in Envoy when clearing the route cache with remote JWKs in the following cases:
- Remote JWKs are used, which requires async header processing
- clear_route_cache is enabled on the provider
- Header operations are enabled in JWT filter, for example, header to claims feature
- The routing table is configured in a way that the JWT header operations modify requests to not match any route When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache.
Отчет
This vulnerability in Envoy should be considered high-severity rather than moderate due to its potential to cause a complete crash of the service when handling JWT authentication with remote JWKs and asynchronous header processing. In cloud-native environments where Envoy is often used as a critical edge or service proxy, the conditions triggering this crash—such as the combination of route cache clearing, header operations, and JWT authentication—are not uncommon. The impact is significant because the crash occurs during normal request processing, leading to service disruption and downtime.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-service-mesh/istio-cni-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/pilot-rhel8 | Affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel8 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. This issue has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Envoy is a cloud-native high-performance edge/middle/service proxy. Jw ...
7.5 High
CVSS3