CVE-2024-45809: 
Envoy vulnerability analysis and mitigation

Envoy, a cloud-native high-performance edge/middle/service proxy, contains a vulnerability in its JWT filter that can lead to a crash when clear route cache is used with remote JWKs. The vulnerability was discovered in September 2024 and affects versions from 1.29.0 up to versions 1.31.2, 1.30.6, and 1.29.9. The issue has been assigned CVE-2024-45809 with a CVSS v3.1 base score of 7.5 (HIGH) according to NVD assessment (NVD, GitHub Advisory).

The vulnerability occurs under specific conditions: 1) when remote JWKs are used, requiring async header processing, 2) clearroutecache is enabled on the provider, 3) header operations are enabled in JWT filter (e.g., header to claims feature), and 4) the routing table is configured such that JWT header operations modify requests to not match any route. The root cause is identified as incorrect ordering of continueDecoding and clearRouteCache operations, which leads to a nullptr reference conversion from route() in the upstream code (GitHub Advisory).

When the vulnerability is triggered, it results in an Envoy crash, affecting the availability of the service. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on availability (NVD).

The vulnerability has been addressed in versions 1.31.2, 1.30.6, and 1.29.9. Users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (NVD).