CVE-2024-45809
📋 TL;DR
A vulnerability in Envoy's JWT filter causes a crash when specific conditions are met: remote JWKs are used with clear_route_cache enabled, header operations modify requests to not match any route. This leads to a nullptr reference conversion in upstream code, causing denial of service. Affects Envoy deployments using JWT authentication with remote JWKs.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to Envoy proxy crash, disrupting all traffic through affected instances.
Likely Case
Intermittent crashes causing service disruption and degraded performance when JWT authentication is used with specific configurations.
If Mitigated
No impact if not using remote JWKs with clear_route_cache and header operations, or if patched versions are deployed.
🎯 Exploit Status
Exploitation requires knowledge of JWT configuration and ability to craft requests that trigger route mismatch.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.31.2, 1.30.6, or 1.29.9
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3
Restart Required: Yes
Instructions:
1. Identify Envoy version. 2. Upgrade to 1.31.2, 1.30.6, or 1.29.9 based on your release line. 3. Restart Envoy service. 4. Verify fix with test requests.
🔧 Temporary Workarounds
Disable clear_route_cache
allRemove clear_route_cache setting from JWT provider configuration
Edit Envoy config to remove 'clear_route_cache: true' from JWT provider
Disable header operations
allRemove header_to_claims or other header operations from JWT filter
Edit Envoy config to remove header operations from JWT filter
🧯 If You Can't Patch
- Apply workaround by disabling clear_route_cache or header operations in JWT filter configuration
- Implement rate limiting and request validation to filter potentially malicious JWT requests
🔍 How to Verify
Check if Vulnerable:
Check Envoy version and inspect JWT filter configuration for remote JWKs with clear_route_cache and header operationsCheck Version:
envoy --versionVerify Fix Applied:
Verify Envoy version is 1.31.2, 1.30.6, or 1.29.9 and test with JWT requests that previously caused crashes📡 Detection & Monitoring
Log Indicators:
- Envoy crash logs
- Segmentation fault errors
- Unexpected termination
Network Indicators:
- Sudden loss of connectivity to services behind Envoy
- Increased 5xx errors
SIEM Query:
source="envoy" AND ("segmentation fault" OR "crash" OR "terminated unexpectedly")