Bug 2156871 (CVE-2021-4294)

Summary: CVE-2021-4294 osin: manipulation of the argument secret leads to observable timing discrepancy
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, jburrell, rogbas, sasakshi, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenShift OSIN. This issue affects the ClientSecretMatches/CheckClientSecret function, where the manipulation of the argument secret leads to an observable timing discrepancy.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2156872    

Description Avinash Hanwate 2022-12-29 04:28:16 UTC 
A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216987.

https://vuldb.com/?id.216987
https://github.com/openshift/osin/commit/8612686d6dda34ae9ef6b5a974e4b7accb4fea29
https://github.com/openshift/osin/pull/200
https://vuldb.com/?ctiid.216987
Comment 3 sakshi 2023-02-06 05:43:38 UTC 
Hi Team, 


The customer is using openshift Version 4.10.20 and is affected by this vulnerability and wants to know when this will be fixed.


Thanks
Sakshi