Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1425455 - (CVE-2017-3156) CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks
CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerabl...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170220,repor...
: Security
Depends On: 1425458
Blocks: 1425457
  Show dependency treegraph
 
Reported: 2017-02-21 08:23 EST by Adam Mariš
Modified: 2018-06-29 18:18 EDT (History)
46 users (show)

See Also:
Fixed In Version: cxf 3.0.13, cxf 3.1.10
Doc Type: If docs needed, set a value
Doc Text:
It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1832 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update 2017-08-15 01:47:49 EDT

  None (edit)
Description Adam Mariš 2017-02-21 08:23:01 EST 
Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMac secret key algorithms.

This vulnerability affects all versions of Apache CXF prior to 3.0.13, 3.1.10.

Upstream patches:

CXF 3.1.x:
http://git-wip-us.apache.org/repos/asf/cxf/commit/555843f9

CXF 3.0.x
http://git-wip-us.apache.org/repos/asf/cxf/commit/1338469f

CXF 3.2.0-SNAPSHOT (master):
http://git-wip-us.apache.org/repos/asf/cxf/commit/e66ce235

External References:

https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
Comment 1 Adam Mariš 2017-02-21 08:31:30 EST 
Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1425458]
Comment 4 Hamed Farid 2017-04-03 03:36:23 EDT 
Thanks Adam ,
I have two questions
1- If I use vulnerable CXF version like 3.0.12 but I don't use OAuth2 Hawk and JOSE , should I still be vulnerable ?
2- Is this finding affects only Linux systems ?
Comment 5 Hooman Broujerdi 2017-05-02 01:10:48 EDT 
Hi Hamed, 
Sorry for the delay getting back to you on this, to answer your questions:
1) No you are not vulnerable, basically there multiple access token types which can be used in cxf oauth2 and MAC and HAWK are among those token types so if you do not use them then you are not vulnerable.
2) Not necessarily linux systems, cxf oauth2 lib is affected and any application that utilizes this lib and uses the HAWK and MAC  token types could potentially be impacted.

Hope this helps.
Comment 6 Hamed Farid 2017-05-02 01:17:29 EDT 
Thanks for your response
Comment 7 errata-xmlrpc 2017-08-10 19:03:48 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.