1933681 – (CVE-2021-21378) CVE-2021-21378 envoyproxy/envoy: JWT validation bypass when allow_missing is used

Bug 1933681 (CVE-2021-21378) - CVE-2021-21378 envoyproxy/envoy: JWT validation bypass when allow_missing is used

Summary: CVE-2021-21378 envoyproxy/envoy: JWT validation bypass when allow_missing is ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-21378
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1933675
TreeView+	depends on / blocked

Reported:	2021-03-01 12:37 UTC by Mark Cooper
Modified:	2023-08-31 09:09 UTC (History)
CC List:	5 users (show)
Fixed In Version:	envoyproxy/envoy 1.17.1
Doc Type:	If docs needed, set a value
Doc Text:	An authentication bypass vulnerability was found in envoyproxy/envoy. When specifying a JSON Web Token (JWT) authentication filter, if `allow_missing` is also used, this flaw allows an attacker to craft a request with a JWT token with an incorrect issuer bypassing the filter. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed:	2021-03-02 01:01:58 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mark Cooper 2021-03-01 12:37:19 UTC

In Envoy 1.17.1, when a JSON Web Token (JWT) authentication filter is specified with `allow_missing`, a request with a JWT token with an incorrect issuer can bypass the filter. 

Upstream issue: 
https://github.com/istio/envoy/pull/303

Comment 1 Mark Cooper 2021-03-01 12:37:26 UTC

Acknowledgments:

Name: Istio Product Security Working Group

Comment 4 Mark Cooper 2021-03-02 01:01:13 UTC

OpenShift ServiceMesh is not affected by this as it uses Istio v1.16.x. 

Comparing the code:
https://github.com/maistra/envoy/blob/7f7ca9dc6df537d19e6b62eff379c0829ead9c90/source/extensions/filters/http/jwt_authn/verifier.cc#L305

It looks like the upstream fix for this CVE is pretty much restoring the original behaviour.

Comment 8 Mark Cooper 2021-03-09 23:44:10 UTC

External References:

https://github.com/envoyproxy/envoy/security/advisories/GHSA-4996-m8hf-hj27
https://istio.io/latest/news/security/istio-security-2021-001/

Comment 9 Mark Cooper 2021-03-09 23:47:34 UTC

Upstream fix: https://github.com/envoyproxy/envoy/pull/15194

Comment 10 Mark Cooper 2021-03-09 23:58:06 UTC

And upstream commit: https://github.com/envoyproxy/envoy/pull/15194/commits/fc1644ee11a53a60da349cacede8d6cb1d619eee

Comment 11 RaTasha Tillery-Smith 2021-03-10 19:44:05 UTC

Statement:

Only version 1.9.0 of upstream Istio is affected by the vulnerability. Therefore, even if the OpenShift ServiceMesh (OSSM) does package Istio, it is only v1.6.14 and is not affected.

Note You need to log in before you can comment on or make changes to this bug.