Bug 2263329

Summary: Side-channel in cpp-jwt
Product: [Fedora] Fedora EPEL Reporter: Erwan Legrand <redhat>
Component: cpp-jwtAssignee: Jonathan Wright <jonathan>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: epel9CC: jonathan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cpp-jwt-1.4-7.fc40 cpp-jwt-1.4-7.fc41 cpp-jwt-1.4-7.el9 cpp-jwt-1.4-7.fc39 cpp-jwt-1.4-7.el8 cpp-jwt-1.4-7.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-27 04:25:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Minimal fix none

Description Erwan Legrand 2024-02-08 12:19:27 UTC
Description of problem:

After I found a side-channel issue in a JWT library I was working with, I reviewed other implementations and found similar issues in a dozen different Open Source projects.

In the case of cpp-jwt, the problem is located here:
https://github.com/arun11299/cpp-jwt/blob/10ef5735d842b31025f1257ae78899f50a40fb14/include/jwt/impl/algorithm.ipp#L66

The time operator == takes to complete depends on whether the characters in the provided base64url-encoded MAC matches the proper value. This could allow an attacker to mount a timing attack through measurement of response times and statistical analysis.

Version-Release number of selected component (if applicable):
As far as I can see, all versions are vulnerable.

Additional info:
One way to fix the issue is to use a contant-time comparison function such as OpenSSL's CRYPTO_memcmp().

Another possibility is to use Double HMAC Verification as described here: https://web.archive.org/web/20160203044316/https:/www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/

I have reported the issue to the maintainer of the original Open Source project separately.

Comment 1 Jonathan Wright 2024-02-13 04:36:42 UTC
Thanks for the report.  Can you provide any potential fixes?  I maintain the package but I am not a c++ dev by any stretch.

Comment 2 Erwan Legrand 2024-02-19 17:08:45 UTC
Created attachment 2017672 [details]
Minimal fix

Comment 3 Erwan Legrand 2024-02-19 17:09:28 UTC
Sorry, I had thought I had provided a patch and now I see my mistake! Here it is.

Comment 4 Jonathan Wright 2024-02-27 04:14:40 UTC
Thank you for the patch.

Comment 5 Fedora Update System 2024-02-27 04:20:27 UTC
FEDORA-2024-4caf912a53 (cpp-jwt-1.4-7.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-4caf912a53

Comment 6 Fedora Update System 2024-02-27 04:20:39 UTC
FEDORA-2024-436b32f16c (cpp-jwt-1.4-7.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-436b32f16c

Comment 7 Fedora Update System 2024-02-27 04:25:35 UTC
FEDORA-2024-4caf912a53 (cpp-jwt-1.4-7.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2024-02-27 04:25:39 UTC
FEDORA-2024-436b32f16c (cpp-jwt-1.4-7.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2024-02-27 04:40:03 UTC
FEDORA-EPEL-2024-1cefeeb8f5 (cpp-jwt-1.4-7.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-1cefeeb8f5

Comment 10 Fedora Update System 2024-02-27 04:40:03 UTC
FEDORA-2024-56fbd2cbfa (cpp-jwt-1.4-7.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-56fbd2cbfa

Comment 11 Fedora Update System 2024-02-27 04:40:04 UTC
FEDORA-EPEL-2024-16cf23e0e6 (cpp-jwt-1.4-7.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-16cf23e0e6

Comment 12 Fedora Update System 2024-02-27 04:40:04 UTC
FEDORA-2024-d76e37ba62 (cpp-jwt-1.4-7.fc38) has been submitted as an update to Fedora 38.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-d76e37ba62

Comment 13 Fedora Update System 2024-02-28 01:03:31 UTC
FEDORA-2024-56fbd2cbfa has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-56fbd2cbfa`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-56fbd2cbfa

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2024-02-28 01:15:32 UTC
FEDORA-EPEL-2024-1cefeeb8f5 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-1cefeeb8f5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 15 Fedora Update System 2024-02-28 01:18:17 UTC
FEDORA-EPEL-2024-16cf23e0e6 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-16cf23e0e6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 16 Fedora Update System 2024-02-28 02:10:44 UTC
FEDORA-2024-d76e37ba62 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-d76e37ba62`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-d76e37ba62

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 17 Fedora Update System 2024-03-07 00:35:25 UTC
FEDORA-EPEL-2024-1cefeeb8f5 (cpp-jwt-1.4-7.el9) has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 18 Fedora Update System 2024-03-07 00:57:18 UTC
FEDORA-2024-56fbd2cbfa (cpp-jwt-1.4-7.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 19 Fedora Update System 2024-03-07 01:02:03 UTC
FEDORA-EPEL-2024-16cf23e0e6 (cpp-jwt-1.4-7.el8) has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Fedora Update System 2024-03-07 01:50:03 UTC
FEDORA-2024-d76e37ba62 (cpp-jwt-1.4-7.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.