Bug 1900078 (CVE-2019-20933) - CVE-2019-20933 influxdb: authentication bypass because a JWT token may have an empty SharedSecret
Summary: CVE-2019-20933 influxdb: authentication bypass because a JWT token may have a...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-20933
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1900079
Blocks: 1900080
TreeView+ depends on / blocked
 
Reported: 2020-11-20 18:14 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-08-30 23:47 UTC (History)
44 users (show)

Fixed In Version: influxdb 1.7.6
Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was found in InfluxDB. By default, when using JWT authentication, InfluxDB does not generate a signing secret or state in the documentation that a JWT secret must be generated. If InfluxDB is left in the default state, this flaw allows an attacker to generate their own JWT token and log into the InfluxDBinstance, potentially escalating privileges and gaining access to sensitive information.
Clone Of:
Environment:
Last Closed: 2020-11-23 17:34:07 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-20 18:14:33 UTC 
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

Reference:
https://github.com/influxdata/influxdb/issues/12927

Upstream patch:
https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
Comment 1 Guilherme de Almeida Suckevicz 2020-11-20 18:14:58 UTC 
Created golang-github-influxdb-influxdb tracking bugs for this issue:

Affects: epel-6 [bug 1900079]
Comment 2 Mark Cooper 2020-11-23 01:28:00 UTC 
The OpenShift Service Mesh (OSSM) servicemesh-prometheus component packages a `non-vulnerable` version of influxdb. Both ossm 1.1.x and 2.0.x package influxdb:v1.7.7. 

Similar, the OpenShift Container Platform (OCP) container openshift4/ose-prometheus, also packages a `non-vulnerable` version of influxdb, influxdb:v1.7.6. The openshift4/ose-ovn-kubernetes container did package a vulnerable version `only` for OCP 4.1, but since then has been removed and now does not contain influxdb.
Comment 4 Doran Moppert 2020-11-23 04:29:30 UTC 
Red Hat Advanced Cluster Management for Kubernetes uses influxdb versions newer than those affected by this vulnerability.
Comment 5 Mark Cooper 2020-11-23 05:55:47 UTC 
Red Hat OpenShift Jaeger (RHOSJ), the distributed-tracing/jaeger-rhel8-operator container also packages a non vulnerable version, 1.7.7 and hence not affected.
Comment 7 Product Security DevOps Team 2020-11-23 17:34:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20933
Comment 10 RaTasha Tillery-Smith 2020-11-24 19:14:35 UTC 
External References:

https://github.com/influxdata/influxdb/issues/12927
Comment 11 RaTasha Tillery-Smith 2020-11-24 19:14:38 UTC 
Mitigation:

For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication:

https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#1-add-a-shared-secret-in-your-influxdb-configuration-file 

Versions including the fix will return an error if the secret is left empty.
Note You need to log in before you can comment on or make changes to this bug.