Bug 1883371 (CVE-2020-26160) - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
Summary: CVE-2020-26160 jwt-go: access restriction bypass vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-26160
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1870189 1883385 1884482 1884483 1884484 1884485 1884486 1884488 1884489 1884490 1884491 1884492 1884493 1884494 1884495 1884496 1884497 1884498 1884499 1884500 1884501 1884502 1884503 1884504 1884505 1884506 1884507 1884508 1884509 1884510 1884511 1884512 1884513 1884514 1884515 1884516 1884517 1884518 1884519 1884520 1884521 1884522 1884523 1884524 1884525 1884526 1884527 1884605 1887406 1887407 1887412 1887662 1887816 1887817 1887818 1887819 1887820 1887821 1887822 1887823 1887824 1887825 1887826 1887827 1887828 1887829 1887830 1887831 1887832 1887833 1887834 1887835
Blocks: 1882042
TreeView+ depends on / blocked
 
Reported: 2020-09-29 00:26 UTC by Dhananjay Arunesh
Modified: 2021-12-14 13:42 UTC (History)
72 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.
Clone Of:
Environment:
Last Closed: 2021-02-18 19:01:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:10:18 UTC
Red Hat Product Errata RHSA-2021:0516 0 None None None 2021-02-15 15:40:15 UTC
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:15:43 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:31:35 UTC
Red Hat Product Errata RHSA-2021:5110 0 None None None 2021-12-14 13:42:09 UTC

Description Dhananjay Arunesh 2020-09-29 00:26:36 UTC
A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.

References:
https://github.com/dgrijalva/jwt-go/issues/428
https://github.com/dgrijalva/jwt-go/issues/422
https://snyk.io/vuln/golang:github.com%2Fdgrijalva%2Fjwt-go

Comment 4 Mark Cooper 2020-10-01 03:14:46 UTC
External References:

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

Comment 7 Mark Cooper 2020-10-02 06:42:47 UTC
Upstream commit: https://github.com/dgrijalva/jwt-go/pull/429

Comment 11 Jason Shepherd 2020-10-06 00:21:55 UTC
The github.com/dgrijalva/jwt-go module is an indirect dependency of k8s.io/client-go/plugin/pkg/client/auth/azure package pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code:

./pkg/controller/namespace/namespace_controller.go:	"k8s.io/client-go/tools/cache"
./pkg/k8sutils/k8sutils.go:	"k8s.io/client-go/kubernetes"

The k8s.io/client-go/plugin/pkg/client/auth/azure package sets the aud field to a string when signing a JWT token, not an empty slice, making it currently not vulnerable to this flaw. 

https://github.com/Azure/go-autorest/blob/master/autorest/adal/token.go#L253

Also, the Quay operators do not pull in the vulnerable Azure plugin package (they only use tools, and kubernetes client-go packages), so even if the Azure/go-autorest module was using jwt-go in an unsafe way, the operators would not be vulnerable.

Comment 14 Jason Shepherd 2020-10-06 01:39:34 UTC
> Also, the Quay operators do not pull in the vulnerable Azure plugin package
> (they only use tools, and kubernetes client-go packages), so even if the
> Azure/go-autorest module was using jwt-go in an unsafe way, the operators
> would not be vulnerable.

This part was not the full story, cmd/manager/main.go also calls the init function of "k8s.io/client-go/plugin/pkg/client/auth" which initialises the Azure go-autorest plugin. Still though, that module does not use jwt-go in an unsafe way.

Comment 20 Hardik Vyas 2020-10-12 11:52:13 UTC
Statement:

The github.com/dgrijalva/jwt-go module is an indirect dependency of the k8s.io/client-go module pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code. The k8s.io/client-go module does not use jwt-go in an unsafe way [1]. Red Hat Quay components have been marked as wontfix. This may be fixed in the future.

Similar to Quay, multiple OpenShift Container Platform (OCP) containers include jwt-go as a transient dependency due to go-autorest [1]. As such, those containers do not use jwt-go in an unsafe way. They have been marked wontfix at this time and may be fixed in a future update.

Same as Quay and OpenShift Container Platform, components shipped with Red Hat OpenShift Container Storage 4 do not use jwt-go in an unsafe way and hence this issue has been rated as having a security impact of Low. A future update may address this issue.

Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli as a technical preview and is not currently planned to be addressed in future updates, hence the multi-cloud-object-gateway-cli package will not be fixed.

[1] https://github.com/Azure/go-autorest/issues/568#issuecomment-703804062

Comment 30 errata-xmlrpc 2021-02-15 15:40:11 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.13

Via RHSA-2021:0516 https://access.redhat.com/errata/RHSA-2021:0516

Comment 31 Product Security DevOps Team 2021-02-18 19:01:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26160

Comment 32 errata-xmlrpc 2021-02-24 15:10:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633

Comment 33 errata-xmlrpc 2021-03-10 11:15:37 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799

Comment 35 errata-xmlrpc 2021-05-19 09:14:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041

Comment 36 errata-xmlrpc 2021-05-19 10:23:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2042 https://access.redhat.com/errata/RHSA-2021:2042

Comment 37 errata-xmlrpc 2021-07-27 22:31:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438

Comment 39 errata-xmlrpc 2021-12-14 13:42:07 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2021:5110 https://access.redhat.com/errata/RHSA-2021:5110


Note You need to log in before you can comment on or make changes to this bug.