Bug 1883371 (CVE-2020-26160)

Summary: CVE-2020-26160 jwt-go: access restriction bypass vulnerability
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abonas, adam.kaplan, agarcial, alegrand, alitke, amcdermo, anpicker, aos-bugs, aos-install, bbennett, bbrownin, bdettelb, bmontgom, btofel, chazlett, cnv-qe-bugs, dgoodwin, eaguilar, ebaron, ecordell, eparis, erooth, fdeutsch, gghezzo, gparvin, hchiramm, hvyas, jburrell, jcantril, jesusr, jkang, jlanford, jmulligan, jochrist, jokerman, jpallich, jramanat, jweiser, jwon, kakkoyun, kconner, kmullins, krathod, lcosic, madam, markito, maszulik, mfojtik, nstielau, obulatov, oyahud, phoracek, pjindal, pkrupa, puebele, rcernich, rhs-bugs, rrajasek, sbatsche, sd-operator-metering, sfroberg, sgott, sponnaga, stcannon, stirabos, storage-qa-internal, sttts, surbania, thee, tomckay, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-18 19:01:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1870189, 1883385, 1884482, 1884483, 1884484, 1884485, 1884486, 1884488, 1884489, 1884490, 1884491, 1884492, 1884493, 1884494, 1884495, 1884496, 1884497, 1884498, 1884499, 1884500, 1884501, 1884502, 1884503, 1884504, 1884505, 1884506, 1884507, 1884508, 1884509, 1884510, 1884511, 1884512, 1884513, 1884514, 1884515, 1884516, 1884517, 1884518, 1884519, 1884520, 1884521, 1884522, 1884523, 1884524, 1884525, 1884526, 1884527, 1884605, 1887406, 1887407, 1887412, 1887662, 1887816, 1887817, 1887818, 1887819, 1887820, 1887821, 1887822, 1887823, 1887824, 1887825, 1887826, 1887827, 1887828, 1887829, 1887830, 1887831, 1887832, 1887833, 1887834, 1887835    
Bug Blocks: 1882042    

Description Dhananjay Arunesh 2020-09-29 00:26:36 UTC 
A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.

References:
https://github.com/dgrijalva/jwt-go/issues/428
https://github.com/dgrijalva/jwt-go/issues/422
https://snyk.io/vuln/golang:github.com%2Fdgrijalva%2Fjwt-go
Comment 4 Mark Cooper 2020-10-01 03:14:46 UTC 
External References:

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
Comment 7 Mark Cooper 2020-10-02 06:42:47 UTC 
Upstream commit: https://github.com/dgrijalva/jwt-go/pull/429
Comment 11 Jason Shepherd 2020-10-06 00:21:55 UTC 
The github.com/dgrijalva/jwt-go module is an indirect dependency of k8s.io/client-go/plugin/pkg/client/auth/azure package pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code:

./pkg/controller/namespace/namespace_controller.go:	"k8s.io/client-go/tools/cache"
./pkg/k8sutils/k8sutils.go:	"k8s.io/client-go/kubernetes"

The k8s.io/client-go/plugin/pkg/client/auth/azure package sets the aud field to a string when signing a JWT token, not an empty slice, making it currently not vulnerable to this flaw. 

https://github.com/Azure/go-autorest/blob/master/autorest/adal/token.go#L253

Also, the Quay operators do not pull in the vulnerable Azure plugin package (they only use tools, and kubernetes client-go packages), so even if the Azure/go-autorest module was using jwt-go in an unsafe way, the operators would not be vulnerable.
Comment 14 Jason Shepherd 2020-10-06 01:39:34 UTC 
> Also, the Quay operators do not pull in the vulnerable Azure plugin package
> (they only use tools, and kubernetes client-go packages), so even if the
> Azure/go-autorest module was using jwt-go in an unsafe way, the operators
> would not be vulnerable.

This part was not the full story, cmd/manager/main.go also calls the init function of "k8s.io/client-go/plugin/pkg/client/auth" which initialises the Azure go-autorest plugin. Still though, that module does not use jwt-go in an unsafe way.
Comment 20 Hardik Vyas 2020-10-12 11:52:13 UTC 
Statement:

The github.com/dgrijalva/jwt-go module is an indirect dependency of the k8s.io/client-go module pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code. The k8s.io/client-go module does not use jwt-go in an unsafe way [1]. Red Hat Quay components have been marked as wontfix. This may be fixed in the future.

Similar to Quay, multiple OpenShift Container Platform (OCP) containers include jwt-go as a transient dependency due to go-autorest [1]. As such, those containers do not use jwt-go in an unsafe way. They have been marked wontfix at this time and may be fixed in a future update.

Same as Quay and OpenShift Container Platform, components shipped with Red Hat OpenShift Container Storage 4 do not use jwt-go in an unsafe way and hence this issue has been rated as having a security impact of Low. A future update may address this issue.

Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli as a technical preview and is not currently planned to be addressed in future updates, hence the multi-cloud-object-gateway-cli package will not be fixed.

[1] https://github.com/Azure/go-autorest/issues/568#issuecomment-703804062
Comment 30 errata-xmlrpc 2021-02-15 15:40:11 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.13

Via RHSA-2021:0516 https://access.redhat.com/errata/RHSA-2021:0516
Comment 31 Product Security DevOps Team 2021-02-18 19:01:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26160
Comment 32 errata-xmlrpc 2021-02-24 15:10:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
Comment 33 errata-xmlrpc 2021-03-10 11:15:37 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 35 errata-xmlrpc 2021-05-19 09:14:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 36 errata-xmlrpc 2021-05-19 10:23:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2042 https://access.redhat.com/errata/RHSA-2021:2042
Comment 37 errata-xmlrpc 2021-07-27 22:31:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 39 errata-xmlrpc 2021-12-14 13:42:07 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2021:5110 https://access.redhat.com/errata/RHSA-2021:5110