2313686 – (CVE-2024-45809) CVE-2024-45809 envoy: JWT filter crash in the clear route cache with remote JWKs

Bug 2313686 (CVE-2024-45809) - CVE-2024-45809 envoy: JWT filter crash in the clear route cache with remote JWKs

Summary: CVE-2024-45809 envoy: JWT filter crash in the clear route cache with remote JWKs

Keywords:
Status:	NEW
Alias:	CVE-2024-45809
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-20 00:40 UTC by OSIDB Bzimport
Modified:	2024-09-25 16:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-09-20 00:40:53 UTC

Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. This issue has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.