Envoy Denial-of-Service Vulnerability Due to JWT Authentication and JWKS Fetching Error

A denial-of-service vulnerability has been identified in Envoy versions through 1.36.2. The issue arises when JWT authentication is used with remote JWKS fetching, and the 'allow_missing_or_failed' option is enabled. If multiple JWT tokens are included in the request headers and the JWKS fetch fails, Envoy crashes. This crash is caused by a re-entry bug in the JwksFetcherImpl component. When the first token's JWKS fetch fails, the onJwksError() callback initiates processing of the second token, which in turn calls fetch() again on the same fetcher object. This process disrupts the state of the second fetch, leading to a crash when the asynchronous HTTP response is received.

Impact

Exploiting this vulnerability causes Envoy to crash, disrupting service and availability.

Reproduction

To reproduce this vulnerability, enable the 'allow_missing_or_failed' or 'allow_missing' options in the JWT authentication configuration. Then, send a request with two Authorization headers containing JWT tokens. Ensure that the remote JWKS fetching fails. This sequence of actions will trigger the crash.

Remediation

Users can mitigate this vulnerability by disabling the 'allow_missing_or_failed' or 'allow_missing' options in the JWT authentication configuration.