Bug 1425455 (CVE-2017-3156)
| Summary: | CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, aileenc, alazarot, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, etirelli, gvarsami, hamed.farid, huwang, jawilson, jcoleman, jolee, jshepherd, kconner, kverlaen, ldimaggi, lgao, lpetrovi, mbaluch, mwinkler, myarboro, nwallace, pgier, psakar, pslavice, puntogil, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, spinder, tcunning, theute, tiwillia, tkirby, twalsh, vhalbert, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cxf 3.0.13, cxf 3.1.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:07:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1425458 | ||
| Bug Blocks: | 1425457 | ||
|
Description
Adam Mariš
2017-02-21 13:23:01 UTC
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1425458] Thanks Adam , I have two questions 1- If I use vulnerable CXF version like 3.0.12 but I don't use OAuth2 Hawk and JOSE , should I still be vulnerable ? 2- Is this finding affects only Linux systems ? Hi Hamed, Sorry for the delay getting back to you on this, to answer your questions: 1) No you are not vulnerable, basically there multiple access token types which can be used in cxf oauth2 and MAC and HAWK are among those token types so if you do not use them then you are not vulnerable. 2) Not necessarily linux systems, cxf oauth2 lib is affected and any application that utilizes this lib and uses the HAWK and MAC token types could potentially be impacted. Hope this helps. Thanks for your response This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832 This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Grid 6 * Red Hat Enterprise Application Platform 5 * Red Hat Enterprise Application Platform 6 * Red Hat JBoss Operations Network 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Whilst Red Hat Enterprise Application Platform 7 and Red Hat SSO both include components of cxf the oauth2 components are not included. |