Announcing fix for zero day

173 views
Skip to first unread message

Asra Ali

unread,
Feb 26, 2021, 8:42:52 AM2/26/21
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-users, envoy-dev, Envoy-maintainers, envoy-security

Hi, 


We are announcing a fix for a zero day that was identified on 2021/02/24 in the open:


Envoy JWT filter bypass when using the allow_missing configuration under `requires_any`. If a JWT token is presented with an issuer that does not match the issuer field specified in JwtProvider, then the request is mistakenly accepted. This is due to a bug where `JwtUnknownIssuer` is mistakenly converted to `JwtMissing` and accepted due to `allow_missing`.


This issue affects release 1.17. It does not affect release 1.16 or earlier.


A few notes about the release:

  1. The backport is completed for v.1.17.1. The release has been tagged and is available here

  2. The bug does not apply to any other stable versions. It was introduced in PR 14414 on 2021/01/05.

  3. We will provide more complete write-ups, CVE numbers, etc. later this week.


Thanks,
Envoy Security Team

Asra Ali

unread,
Mar 9, 2021, 1:07:44 PM3/9/21
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-users, envoy-dev, Envoy-maintainers, envoy-security
Hi all, 

Just as a follow-up, a detailed security advisory on the issue is published here. The CVE ID for the issue is CVE-2021-21378, and it is rated High, CVSS score 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N.

Thank you!
Asra
Reply all
Reply to author
Forward
0 new messages