Istio disclosed a flaw in its JWT authentication filter on Friday that could crash the Envoy proxy it uses, prompting a trio of updates for the service mesh.
The bug was first reported just over a week ago, and can cause Envoy to crash when a request contains a malformed JWT token. The symptoms are an HTTP 503 error for the client, and the message “Epoch 0 terminated with an error: signal: segmentation fault (core dumped)” in the Envoy Logs.
Two conditions are required for a crash to occur, firstly that a JWT authentication policy is being applied to Envoy in the first place, and second that the JWT issuer uses the RSA algorithm for signature authentication.
The Istio team adds that “if JWT policy is applied to the Istio ingress gateway…any external user who has access to the ingress gateway could crash it with a single HTTP request. “
If JWT is applied only to the sidecar, there could still be issues, as “for example, the Istio ingress gateway might forward the JWT token to the sidecar which could be a malformed JWT token that crashes the sidecar.”
The advisory adds that the vulnerability has nothing to do with the RSA algorithm itself. It also includes a command that users can apply to check if they are indeed affected.
Affected 1.0.x users are advised to upgrade to 1.0.9, 1.1.x and 1.2.x deployments to the just released 1.1.10 and 1.2.2. Alternatively, they can inject a Lua filter into older versions of Istio.
1.2.2 also fixes an incorrect overwrite of an x-forwarded proto-header, while 1.1.10 eliminates errors caused by Envoy not being able to talk to the SDS Node Agent after a restart, and an upgrade issue.