Bug 1900078 (CVE-2019-20933)
| Summary: | CVE-2019-20933 influxdb: authentication bypass because a JWT token may have an empty SharedSecret | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, alegrand, anpicker, bibryam, bmontgom, chazlett, david.hannequin, drieden, eclipseo, eparis, erooth, fpokorny, ganandan, gbrown, ggaughan, gghezzo, gmalinko, go-sig, gparvin, hbraun, janstey, jburrell, jchaloup, jochrist, jokerman, jramanat, jweiser, jwendell, jwon, kakkoyun, kconner, lcosic, mcooper, mloibl, nstielau, pantinor, pkrupa, rcernich, sponnaga, stcannon, surbania, thee, twalsh, vbatts |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | influxdb 1.7.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-23 17:34:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1900079 | ||
| Bug Blocks: | 1900080 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-11-20 18:14:33 UTC
Created golang-github-influxdb-influxdb tracking bugs for this issue: Affects: epel-6 [bug 1900079] The OpenShift Service Mesh (OSSM) servicemesh-prometheus component packages a `non-vulnerable` version of influxdb. Both ossm 1.1.x and 2.0.x package influxdb:v1.7.7. Similar, the OpenShift Container Platform (OCP) container openshift4/ose-prometheus, also packages a `non-vulnerable` version of influxdb, influxdb:v1.7.6. The openshift4/ose-ovn-kubernetes container did package a vulnerable version `only` for OCP 4.1, but since then has been removed and now does not contain influxdb. Red Hat Advanced Cluster Management for Kubernetes uses influxdb versions newer than those affected by this vulnerability. Red Hat OpenShift Jaeger (RHOSJ), the distributed-tracing/jaeger-rhel8-operator container also packages a non vulnerable version, 1.7.7 and hence not affected. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20933 External References: https://github.com/influxdata/influxdb/issues/12927 Mitigation: For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication: https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#1-add-a-shared-secret-in-your-influxdb-configuration-file Versions including the fix will return an error if the secret is left empty. |