Description of problem: osin compares secrets for endpoints secured by client secret auth with native string comparison. This is done in linear time, which opens the possibility of a side-channel timing attack. Version-Release number of selected component (if applicable): Present in current master branch of "osin" https://github.com/openshift/osin How reproducible: This is believed to be a hardening bug, not a vulnerability. We do not have current information on the reliability of attacking via this timing side-channel. Steps to Reproduce: 1. https://en.wikipedia.org/wiki/Timing_attack 2. 3. Actual results: Expected results: String comparisons should take constant time. Additional info: Native string comparison is here: - https://github.com/openshift/osin/blob/master/util.go#L31 Golang crypto library offers this as an alternative: - https://golang.org/pkg/crypto/subtle/#ConstantTimeCompare
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409