Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1632810 - (CVE-2018-8023) CVE-2018-8023 mesos: Exposure of HMAC value via timing vulnerability in JWT validation
CVE-2018-8023 mesos: Exposure of HMAC value via timing vulnerability in JWT ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180921,repor...
: Security
Depends On: 1632811
Blocks: 1632812
  Show dependency treegraph
 
Reported: 2018-09-25 11:30 EDT by Pedro Sampaio
Modified: 2018-09-25 11:30 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Pedro Sampaio 2018-09-25 11:30:10 EDT 
Apache Mesos can be configured to require authentication to call the
Executor HTTP API using JSON Web Token (JWT). The comparison of the
generated HMAC value against the provided signature in the JWT
implementation used is vulnerable to a timing attack because instead
of a constant-time string comparison routine a standard `==` operator
has been used. A malicious actor can therefore abuse the timing
difference of when the JWT validation function returns to reveal the
correct HMAC value.

Upstream patch:

https://github.com/apache/mesos/commit/2c282f19755ea7518caf6f43e729524b1c6bdb23

References:

https://seclists.org/oss-sec/2018/q3/267
Comment 1 Pedro Sampaio 2018-09-25 11:30:43 EDT 
Created mesos tracking bugs for this issue:

Affects: fedora-all [bug 1632811]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.