CVE-2023-51437

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file. Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker. 2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions. For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:3.1.0:candidate_1:*:*:*:*:*:*

History

21 Nov 2024, 08:38

Type Values Removed Values Added
References () https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5 - Issue Tracking, Vendor Advisory () https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5 - Issue Tracking, Vendor Advisory
References () https://www.openwall.com/lists/oss-security/2024/02/07/1 - () https://www.openwall.com/lists/oss-security/2024/02/07/1 -

22 Jul 2024, 09:15

Type Values Removed Values Added
CWE CWE-200
References
  • {'url': 'http://www.openwall.com/lists/oss-security/2024/02/07/1', 'tags': ['Mailing List', 'Third Party Advisory'], 'source': 'security@apache.org'}
  • () https://www.openwall.com/lists/oss-security/2024/02/07/1 -

15 Feb 2024, 04:53

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/02/07/1 - () http://www.openwall.com/lists/oss-security/2024/02/07/1 - Mailing List, Third Party Advisory
References () https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5 - () https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5 - Issue Tracking, Vendor Advisory
First Time Apache pulsar
Apache
CWE CWE-203
CPE cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:pulsar:3.1.0:candidate_1:*:*:*:*:*:*

07 Feb 2024, 12:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/02/07/1 -
Summary
  • (es) Una vulnerabilidad de discrepancia de tiempo observable en Apache Pulsar SASL Authentication Provider puede permitir a un atacante falsificar un token de función SASL que pasará la verificación de firma. Se recomienda a los usuarios actualizar a la versión 2.11.3, 3.0.2 o 3.1.1, que soluciona el problema. Los usuarios también deberían considerar actualizar el secreto configurado en el archivo `saslJaasServerRoleTokenSignerSecretPath`. Cualquier componente que coincida con una versión anterior que ejecute el proveedor de autenticación SASL se verá afectado. Eso incluye Pulsar Broker, Proxy, Websocket Proxy o Function Worker. 2.11 Los usuarios de Pulsar deben actualizar al menos a 2.11.3. Los usuarios de Pulsar 3.0 deben actualizar al menos a 3.0.2. 3.1 Los usuarios de Pulsar deben actualizar al menos a 3.1.1. Cualquier usuario que ejecute Pulsar 2.8, 2.9, 2.10 y versiones anteriores debe actualizar a una de las versiones parcheadas anteriores. Para obtener detalles adicionales sobre este vector de ataque, consulte https://codahale.com/a-lesson-in-timing-attacks/.

07 Feb 2024, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-07 10:15

Updated : 2024-11-21 08:38


NVD link : CVE-2023-51437

Mitre link : CVE-2023-51437

CVE.ORG link : CVE-2023-51437


JSON object : View

Products Affected

apache

  • pulsar
CWE
CWE-203

Observable Discrepancy