We are announcing a fix for a zero day that was identified on 2021/02/24 in the open:
Envoy JWT filter bypass when using the allow_missing configuration under `requires_any`. If a JWT token is presented with an issuer that does not match the issuer field specified in JwtProvider, then the request is mistakenly accepted. This is due to a bug where `JwtUnknownIssuer` is mistakenly converted to `JwtMissing` and accepted due to `allow_missing`.
This issue affects release 1.17. It does not affect release 1.16 or earlier.
A few notes about the release:
The backport is completed for v.1.17.1. The release has been tagged and is available here.
The bug does not apply to any other stable versions. It was introduced in PR 14414 on 2021/01/05.
We will provide more complete write-ups, CVE numbers, etc. later this week.