InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret). Reference: https://github.com/influxdata/influxdb/issues/12927 Upstream patch: https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
Created golang-github-influxdb-influxdb tracking bugs for this issue: Affects: epel-6 [bug 1900079]
The OpenShift Service Mesh (OSSM) servicemesh-prometheus component packages a `non-vulnerable` version of influxdb. Both ossm 1.1.x and 2.0.x package influxdb:v1.7.7. Similar, the OpenShift Container Platform (OCP) container openshift4/ose-prometheus, also packages a `non-vulnerable` version of influxdb, influxdb:v1.7.6. The openshift4/ose-ovn-kubernetes container did package a vulnerable version `only` for OCP 4.1, but since then has been removed and now does not contain influxdb.
Red Hat Advanced Cluster Management for Kubernetes uses influxdb versions newer than those affected by this vulnerability.
Red Hat OpenShift Jaeger (RHOSJ), the distributed-tracing/jaeger-rhel8-operator container also packages a non vulnerable version, 1.7.7 and hence not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20933
External References: https://github.com/influxdata/influxdb/issues/12927
Mitigation: For versions before 1.7.6, as per the documentation updated by influxdb, ensure that a default shared-secret has be defined when enabling JWT authentication: https://docs.influxdata.com/influxdb/v1.8/administration/authentication_and_authorization/#1-add-a-shared-secret-in-your-influxdb-configuration-file Versions including the fix will return an error if the secret is left empty.