Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). The comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value. Upstream patch: https://github.com/apache/mesos/commit/2c282f19755ea7518caf6f43e729524b1c6bdb23 References: https://seclists.org/oss-sec/2018/q3/267
Created mesos tracking bugs for this issue: Affects: fedora-all [bug 1632811]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-8023