CVE-2021-32777 – Envoy's ext-authz extension fails to properly m... (How to Fix)

Q: What is the severity of CVE-2021-32777?

CVE-2021-32777 has a CVSS score of 8.6 (HIGH). Envoy's ext-authz extension fails to properly merge multiple-value headers when sending requests to external authorization services, sending only the last value instead. This allows attackers to craft requests that bypass authorization checks, potentially leading to privilege escalation. Affects Envoy deployments using the ext-authz extension with external authorization services that rely on multiple header values.

📋 TL;DR

Envoy's ext-authz extension fails to properly merge multiple-value headers when sending requests to external authorization services, sending only the last value instead. This allows attackers to craft requests that bypass authorization checks, potentially leading to privilege escalation. Affects Envoy deployments using the ext-authz extension with external authorization services that rely on multiple header values.

💻 Affected Systems

Products:

Envoy Proxy

Versions: All versions before 1.19.1, 1.18.4, 1.17.4, 1.16.5

Operating Systems: All platforms running Envoy

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when ext-authz extension is enabled and configured to use external authorization services. The vulnerability is in the header merging logic when sending requests to authorization services.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass all authorization controls, gaining unauthorized access to protected resources or administrative privileges, potentially compromising entire service mesh infrastructure.

🟠

Likely Case

Selective authorization bypass for specific endpoints or services that use multiple-value headers for authorization decisions, allowing unauthorized access to sensitive data or functions.

🟢

If Mitigated

Limited impact with proper network segmentation, additional authentication layers, and monitoring that detects anomalous authorization patterns.

🌐 Internet-Facing: HIGH - Internet-facing Envoy proxies with ext-authz enabled are directly exposed to crafted requests from untrusted sources.

🏢 Internal Only: MEDIUM - Internal Envoy deployments still vulnerable to insider threats or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specifically crafted HTTP requests with multiple-value headers to Envoy instances with ext-authz enabled. No authentication needed if Envoy is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.1, 1.18.4, 1.17.4, 1.16.5 or later

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h

Restart Required: Yes

Instructions:

1. Identify affected Envoy instances. 2. Upgrade to patched version (1.19.1+, 1.18.4+, 1.17.4+, or 1.16.5+). 3. Restart Envoy service. 4. Verify the fix by testing header merging behavior.

🔧 Temporary Workarounds

Disable ext-authz extension

all

Temporarily disable the vulnerable ext-authz extension if external authorization is not critical

Modify Envoy configuration to remove or comment out ext_authz filter configuration

Implement WAF rules

all

Add Web Application Firewall rules to detect and block requests with suspicious multiple-value headers

Configure WAF to inspect and sanitize HTTP headers before reaching Envoy

🧯 If You Can't Patch

Implement network segmentation to restrict access to Envoy instances with ext-authz enabled
Add additional authorization checks at the application layer to compensate for potential bypass

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and ext-authz configuration. If version is before 1.19.1/1.18.4/1.17.4/1.16.5 and ext-authz is enabled, system is vulnerable.

Check Version:

envoy --version or check Envoy container/image version

Verify Fix Applied:

Test with requests containing multiple-value headers to external authorization service and verify all values are properly merged and sent.

📡 Detection & Monitoring

Log Indicators:

Multiple authorization failures for same user/endpoint
Unusual header patterns in access logs
Authorization service receiving incomplete headers

Network Indicators:

HTTP requests with multiple identical headers targeting ext-authz protected endpoints
Unusual traffic patterns to authorization bypass endpoints

SIEM Query:

source="envoy" AND ("ext_authz" OR "authorization") AND header_count>1

📊 Metadata

CVE ID: CVE-2021-32777

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-551

Published: August 24, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h Third Party Advisory
https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history Release Notes,Vendor Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6g4j-5vrw-2m8h Third Party Advisory
https://www.envoyproxy.io/docs/envoy/v1.19.0/version_history/version_history Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32777, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Envoy by Envoyproxy

Envoy by Envoyproxy

Envoy by Envoyproxy

Envoy by Envoyproxy

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable ext-authz extension

Implement WAF rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities