Login Sign Up

CVE-2021-43824

7.5 HIGH
Denial of Service

📋 TL;DR

A crafted CONNECT request sent to Envoy's JWT filter configured with regex matching causes a crash, leading to denial of service. This affects Envoy deployments using regex-based JWT filtering. The vulnerability allows attackers to disrupt service availability.

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: Versions before 1.20.2, 1.19.3, 1.18.6, and 1.17.3
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when JWT filter is configured with regex matching.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage for Envoy instances, disrupting all traffic proxied through affected instances.

🟠

Likely Case

Intermittent crashes causing service disruption and degraded performance.

🟢

If Mitigated

No impact if regex is not used in JWT filter configuration or if patched.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple crafted request triggers the crash; details in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.2, 1.19.3, 1.18.6, or 1.17.3

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-vj5m-rch8-5r2p

Restart Required: Yes

Instructions:

1. Identify Envoy version. 2. Upgrade to patched version via package manager or source. 3. Restart Envoy service.

🔧 Temporary Workarounds

Disable regex in JWT filter

all

Remove or disable regex matching in JWT filter configuration.

Edit Envoy configuration to remove regex from JWT filter settings.

🧯 If You Can't Patch

  • Implement network controls to block CONNECT requests to vulnerable endpoints.
  • Use load balancers or WAFs to filter malicious requests before reaching Envoy.

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and JWT filter configuration for regex usage.

Check Version:

envoy --version

Verify Fix Applied:

Verify Envoy version is patched and test with crafted CONNECT request.

📡 Detection & Monitoring

Log Indicators:

  • Envoy crash logs, unexpected termination, error messages related to JWT filter.

Network Indicators:

  • Spike in CONNECT requests to JWT endpoints, abnormal traffic patterns.

SIEM Query:

source="envoy" AND ("crash" OR "segfault" OR "JWT filter error")

📊 Metadata

CVE ID: CVE-2021-43824
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: February 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43824, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)