Andreas Moregård

Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.29.9 Envoy versions prior to 1.30.6 Envoy versions prior to 1.31.2 Description: The issue arises when the Jwt filter in Envoy leads to a crash when the route cache is cleared with remote JWKs, under specific conditions: remote JWKs are used, requiring async header processing; clear route cache is enabled on the provider; header operations are enabled in the JWT filter; and the routing table is configured such that JWT header operations modify requests to not match any route. This results in a crash due to a nullptr reference conversion from route(), caused by the ordering of continueDecoding and clearRouteCache. The estimated number of potentially affected devices is not specified. There are no reported real-world incidents of this issue being exploited. Technical details include the use of `clear route cache` and `header to claims` features, which can trigger the crash when the routing table is configured in a specific way. Recommendations: For Envoy versions prior to 1.29.9, upgrade to version 1.29.9 or later. For Envoy versions prior to 1.30.6, upgrade to version 1.30.6 or later. For Envoy versions prior to 1.31.2, upgrade to version 1.31.2 or later. As a temporary workaround, consider disabling the `header to claims` feature in the JWT filter until a patch is available. Restrict access to the `clear route cache` feature to minimize the risk of exploitation.