Announcing fix for zero day

Skip to first unread message

Asra Ali

Feb 26, 2021, 8:42:52 AM2/26/21
to,, envoy-users, envoy-dev, Envoy-maintainers, envoy-security


We are announcing a fix for a zero day that was identified on 2021/02/24 in the open:

Envoy JWT filter bypass when using the allow_missing configuration under `requires_any`. If a JWT token is presented with an issuer that does not match the issuer field specified in JwtProvider, then the request is mistakenly accepted. This is due to a bug where `JwtUnknownIssuer` is mistakenly converted to `JwtMissing` and accepted due to `allow_missing`.

This issue affects release 1.17. It does not affect release 1.16 or earlier.

A few notes about the release:

  1. The backport is completed for v.1.17.1. The release has been tagged and is available here

  2. The bug does not apply to any other stable versions. It was introduced in PR 14414 on 2021/01/05.

  3. We will provide more complete write-ups, CVE numbers, etc. later this week.

Envoy Security Team

Asra Ali

Mar 9, 2021, 1:07:44 PM3/9/21
to,, envoy-users, envoy-dev, Envoy-maintainers, envoy-security
Hi all, 

Just as a follow-up, a detailed security advisory on the issue is published here. The CVE ID for the issue is CVE-2021-21378, and it is rated High, CVSS score 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.

Thank you!
Reply all
Reply to author
0 new messages