Bug 1933681 (CVE-2021-21378)

Summary: CVE-2021-21378 envoyproxy/envoy: JWT validation bypass when allow_missing is used
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jwendell, kconner, rcernich, security-response-team, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: envoyproxy/envoy 1.17.1 Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was found in envoyproxy/envoy. When specifying a JSON Web Token (JWT) authentication filter, if `allow_missing` is also used, this flaw allows an attacker to craft a request with a JWT token with an incorrect issuer bypassing the filter. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-02 01:01:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1933675    

Description Mark Cooper 2021-03-01 12:37:19 UTC 
In Envoy 1.17.1, when a JSON Web Token (JWT) authentication filter is specified with `allow_missing`, a request with a JWT token with an incorrect issuer can bypass the filter. 

Upstream issue: 
https://github.com/istio/envoy/pull/303
Comment 1 Mark Cooper 2021-03-01 12:37:26 UTC 
Acknowledgments:

Name: Istio Product Security Working Group
Comment 4 Mark Cooper 2021-03-02 01:01:13 UTC 
OpenShift ServiceMesh is not affected by this as it uses Istio v1.16.x. 

Comparing the code:
https://github.com/maistra/envoy/blob/7f7ca9dc6df537d19e6b62eff379c0829ead9c90/source/extensions/filters/http/jwt_authn/verifier.cc#L305

It looks like the upstream fix for this CVE is pretty much restoring the original behaviour.
Comment 8 Mark Cooper 2021-03-09 23:44:10 UTC 
External References:

https://github.com/envoyproxy/envoy/security/advisories/GHSA-4996-m8hf-hj27
https://istio.io/latest/news/security/istio-security-2021-001/
Comment 9 Mark Cooper 2021-03-09 23:47:34 UTC 
Upstream fix: https://github.com/envoyproxy/envoy/pull/15194
Comment 10 Mark Cooper 2021-03-09 23:58:06 UTC 
And upstream commit: https://github.com/envoyproxy/envoy/pull/15194/commits/fc1644ee11a53a60da349cacede8d6cb1d619eee
Comment 11 RaTasha Tillery-Smith 2021-03-10 19:44:05 UTC 
Statement:

Only version 1.9.0 of upstream Istio is affected by the vulnerability. Therefore, even if the OpenShift ServiceMesh (OSSM) does package Istio, it is only v1.6.14 and is not affected.