CVE-2024-45809 in Envoy
Summary
by MITRE • 09/20/2024
Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. This issue has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/14/2024
The vulnerability identified as CVE-2024-45809 affects Envoy, a cloud-native high-performance edge/middle/service proxy widely deployed in modern microservices architectures. This issue represents a critical crash condition that can lead to service disruption and potential denial of service scenarios within proxy environments. The vulnerability specifically manifests within the JWT filter functionality when processing remote JWKs (JSON Web Key) configurations, creating a scenario where the proxy becomes unstable under specific operational conditions. The flaw impacts organizations relying on Envoy's JWT authentication capabilities, particularly those implementing remote key management strategies for token validation.
The technical root cause of this vulnerability stems from improper ordering between continueDecoding and clearRouteCache operations within the proxy's processing pipeline. When remote JWKs are configured, the system requires asynchronous header processing capabilities to fetch and validate keys from external sources. The vulnerability occurs when clear_route_cache is enabled on the provider configuration, combined with header operations within the JWT filter that modify request headers to claims mappings. The specific condition that triggers the crash involves routing table configurations where JWT header operations transform requests in such a way that they no longer match any defined routes. This creates a scenario where the upstream code attempts to convert a nullptr reference from route() operations, leading to an immediate system crash.
The operational impact of this vulnerability extends beyond simple service disruption, as it can affect the entire proxy infrastructure and potentially cascade through microservice architectures. Organizations utilizing Envoy with JWT authentication and remote JWK configurations face the risk of unexpected proxy termination, which can result in traffic disruption and service unavailability. The vulnerability's trigger conditions are specific but not uncommon in production environments where complex routing and authentication configurations are implemented. Security teams and DevOps personnel must understand that this issue affects the core proxy functionality and can compromise the reliability of traffic management systems. The crash occurs during the processing of HTTP requests that involve JWT validation with remote key sources, making it particularly dangerous in high-throughput environments where request volume is significant.
This vulnerability aligns with CWE-476, which addresses null pointer dereference conditions, and demonstrates how improper state management can lead to system instability. The issue also connects to ATT&CK technique T1566.002, which involves credential manipulation through token validation processes, as the flaw affects the authentication handling mechanisms within the proxy. The fix implemented in versions 1.31.2, 1.30.6, and 1.29.9 addresses the ordering issue between continueDecoding and clearRouteCache operations, ensuring proper sequence handling that prevents the nullptr reference conversion. Organizations should prioritize upgrading their Envoy deployments to these patched versions to eliminate the risk of exploitation. The lack of known workarounds means that administrators must rely entirely on the vendor-provided patches, emphasizing the importance of maintaining current software versions in production environments. This vulnerability serves as a reminder of the critical nature of proper state management and sequence handling in distributed proxy systems where authentication and authorization decisions directly impact system stability and security posture.