CVE-2024-45809

Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. This issue has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::
	cpe:2.3:a:envoyproxy:envoy::::::::

History

No history.

Information

Published : 2024-09-20 00:15

Updated : 2024-09-24 20:12

NVD link : CVE-2024-45809

Mitre link : CVE-2024-45809

CVE.ORG link : CVE-2024-45809

JSON object : View

Products Affected

envoyproxy

envoy

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-476

NULL Pointer Dereference

{"id": "CVE-2024-45809", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-09-20T00:15:02.930", "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-119"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "Envoy is a cloud-native high-performance edge/middle/service proxy. Jwt filter will lead to an Envoy crash when clear route cache with remote JWKs. In the following case: 1. remote JWKs are used, which requires async header processing; 2. clear_route_cache is enabled on the provider; 3. header operations are enabled in JWT filter, e.g. header to claims feature; 4. the routing table is configured in a way that the JWT header operations modify requests to not match any route. When these conditions are met, a crash is triggered in the upstream code due to nullptr reference conversion from route(). The root cause is the ordering of continueDecoding and clearRouteCache. This issue has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Envoy es un proxy de servicio/per\u00edmetro/medio de alto rendimiento nativo de la nube. El filtro JWT provocar\u00e1 un bloqueo de Envoy cuando se borre la cach\u00e9 de ruta con JWK remotos. En el siguiente caso: 1. se utilizan JWK remotos, lo que requiere procesamiento de encabezado asincr\u00f3nico; 2. clear_route_cache est\u00e1 habilitado en el proveedor; 3. las operaciones de encabezado est\u00e1n habilitadas en el filtro JWT, por ejemplo, la funci\u00f3n de encabezado a reclamos; 4. la tabla de enrutamiento est\u00e1 configurada de manera que las operaciones de encabezado JWT modifiquen las solicitudes para que no coincidan con ninguna ruta. Cuando se cumplen estas condiciones, se activa un bloqueo en el c\u00f3digo ascendente debido a la conversi\u00f3n de referencia nullptr de route(). La causa principal es el orden de continueDecoding y clearRouteCache. Este problema se ha solucionado en las versiones 1.31.2, 1.30.6 y 1.29.9. Se recomienda a los usuarios que actualicen. No existen workarounds conocidas para esta vulnerabilidad."}], "lastModified": "2024-09-24T20:12:24.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E442EF13-A99D-42B9-BC76-AC398C32D132", "versionEndExcluding": "1.29.9", "versionStartIncluding": "1.29.0"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9685C62-CFE4-43C5-B0C2-1C6722FB4F64", "versionEndExcluding": "1.30.6", "versionStartIncluding": "1.30.0"}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C765FFC0-2FF7-4318-A347-2AFCAD0E7C74", "versionEndExcluding": "1.31.2", "versionStartIncluding": "1.31.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}