Bug 2397490 (CVE-2025-59432) - CVE-2025-59432 ongres-scram: Timing Attack Vulnerability in SCRAM Authentication
Summary: CVE-2025-59432 ongres-scram: Timing Attack Vulnerability in SCRAM Authentication
Keywords:
Status: NEW
Alias: CVE-2025-59432
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2397522 2397523 2397524
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-22 20:01 UTC by OSIDB Bzimport
Modified: 2025-09-22 21:26 UTC (History)
41 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-22 20:01:17 UTC 
SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. This vulnerability has been patched in version 3.1 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison.
Note You need to log in before you can comment on or make changes to this bug.