Bug 1425455 (CVE-2017-3156) - CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks
Summary: CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerabl...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-3156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1425458
Blocks: 1425457
TreeView+ depends on / blocked
 
Reported: 2017-02-21 13:23 UTC by Adam Mariš
Modified: 2021-02-17 02:34 UTC (History)
45 users (show)

Fixed In Version: cxf 3.0.13, cxf 3.1.10
Doc Type: If docs needed, set a value
Doc Text:
It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:07:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1832 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update 2017-08-15 05:47:49 UTC

Description Adam Mariš 2017-02-21 13:23:01 UTC 
Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMac secret key algorithms.

This vulnerability affects all versions of Apache CXF prior to 3.0.13, 3.1.10.

Upstream patches:

CXF 3.1.x:
http://git-wip-us.apache.org/repos/asf/cxf/commit/555843f9

CXF 3.0.x
http://git-wip-us.apache.org/repos/asf/cxf/commit/1338469f

CXF 3.2.0-SNAPSHOT (master):
http://git-wip-us.apache.org/repos/asf/cxf/commit/e66ce235

External References:

https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
Comment 1 Adam Mariš 2017-02-21 13:31:30 UTC 
Created cxf tracking bugs for this issue:

Affects: fedora-all [bug 1425458]
Comment 4 Hamed Farid 2017-04-03 07:36:23 UTC 
Thanks Adam ,
I have two questions
1- If I use vulnerable CXF version like 3.0.12 but I don't use OAuth2 Hawk and JOSE , should I still be vulnerable ?
2- Is this finding affects only Linux systems ?
Comment 5 Hooman Broujerdi 2017-05-02 05:10:48 UTC 
Hi Hamed, 
Sorry for the delay getting back to you on this, to answer your questions:
1) No you are not vulnerable, basically there multiple access token types which can be used in cxf oauth2 and MAC and HAWK are among those token types so if you do not use them then you are not vulnerable.
2) Not necessarily linux systems, cxf oauth2 lib is affected and any application that utilizes this lib and uses the HAWK and MAC  token types could potentially be impacted.

Hope this helps.
Comment 6 Hamed Farid 2017-05-02 05:17:29 UTC 
Thanks for your response
Comment 7 errata-xmlrpc 2017-08-10 23:03:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832
Comment 8 Joshua Padman 2019-05-15 22:46:06 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Grid 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Operations Network 3

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Joshua Padman 2019-06-19 05:57:25 UTC 
Whilst Red Hat Enterprise Application Platform 7 and Red Hat SSO both include components of cxf the oauth2 components are not included.
Note You need to log in before you can comment on or make changes to this bug.