GHSA-24r8-fm9r-cpj2

Suggest an improvement
Source
https://github.com/advisories/GHSA-24r8-fm9r-cpj2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-24r8-fm9r-cpj2/GHSA-24r8-fm9r-cpj2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-24r8-fm9r-cpj2
Aliases
Published
2019-12-05T18:40:51Z
Modified
2024-05-15T06:46:41.367373Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Low severity vulnerability that affects com.linecorp.armeria:armeria
Details

Multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function

Impact

String comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the insecure implementation of equals method from java.lang.String. While this attack is not practically possible, an attacker still has a potential to attack if the victim's server validates user by using equals method.

We would like to thank @chrsow for pointing out the issue.

Potentially vulnerable codes

https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/OAuth2Token.java#L54 https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/BasicToken.java#L64

Patches

There are two options to patch this issue.

  1. Remove equals method; it has been exclusively used for test cases and was never used in any OSS projects that are using Armeria. (But it is worth noting that there are possibilities of closed projects authenticating users by utilizing equals method)

  2. Use MessageDigest.isEqual to compare the credential instead.

Workarounds

  1. Update to the latest version (TBD)

2-1. Users can prevent these vulnerabilities by modifying and implementing timing attack preventions by themselves.

2-2. Precisely speaking, it is possible to compare credentials by securely comparing them after calling methods to directly return the input (namely Object. accessToken(), Object.username() and Object.password()).

References

  • https://cwe.mitre.org/data/definitions/208.html
  • https://security.stackexchange.com/questions/111040/should-i-worry-about-remote-timing-attacks-on-string-comparison

Side Note

Since it is a theoretical attack, there is no PoC available from neither the vendor nor the security team.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-113"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:51:26Z"
}
References

Affected packages

Maven / com.linecorp.armeria:armeria

Package

Name
com.linecorp.armeria:armeria
View open source insights on deps.dev
Purl
pkg:maven/com.linecorp.armeria/armeria

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.50.0
Fixed
0.97.0

Affected versions

0.*

0.50.0
0.51.0
0.52.0
0.52.1
0.53.0
0.53.1
0.53.2
0.54.0
0.54.1
0.54.2
0.55.0
0.55.1
0.56.0
0.56.1
0.57.0
0.58.0
0.58.1
0.59.0
0.59.1
0.59.2
0.60.0
0.61.0
0.62.0
0.63.0
0.63.1
0.64.0
0.65.0
0.65.1
0.66.0
0.67.0
0.67.1
0.67.2
0.68.0
0.68.1
0.68.2
0.69.0
0.70.0
0.70.1
0.71.0
0.71.1
0.72.0
0.73.0
0.74.0
0.74.1
0.75.0
0.76.0
0.76.1
0.76.2
0.77.0
0.78.0
0.78.1
0.78.2
0.79.0
0.80.0
0.81.0
0.81.1
0.82.0
0.83.0
0.84.0
0.85.0
0.86.0
0.87.0
0.88.0
0.89.0
0.89.1
0.90.0
0.90.1
0.90.2
0.90.3
0.91.0
0.92.0
0.93.0
0.94.0
0.95.0
0.96.0