GHSA-24R8-FM9R-CPJ2
Vulnerability from github – Published: 2019-12-05 18:40 – Updated: 2024-05-15 06:34Multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function
Impact
String comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the insecure implementation of equals method from java.lang.String. While this attack is not practically possible, an attacker still has a potential to attack if the victim's server validates user by using equals method.
We would like to thank @chrsow for pointing out the issue.
Potentially vulnerable codes
https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/OAuth2Token.java#L54 https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/BasicToken.java#L64
Patches
There are two options to patch this issue.
-
Remove
equalsmethod; it has been exclusively used for test cases and was never used in any OSS projects that are using Armeria. (But it is worth noting that there are possibilities of closed projects authenticating users by utilizingequalsmethod) -
Use
MessageDigest.isEqualto compare the credential instead.
Workarounds
- Update to the latest version (TBD)
2-1. Users can prevent these vulnerabilities by modifying and implementing timing attack preventions by themselves.
2-2. Precisely speaking, it is possible to compare credentials by securely comparing them after calling methods to directly return the input (namely Object. accessToken(), Object.username() and Object.password()).
References
- https://cwe.mitre.org/data/definitions/208.html
- https://security.stackexchange.com/questions/111040/should-i-worry-about-remote-timing-attacks-on-string-comparison
Side Note
Since it is a theoretical attack, there is no PoC available from neither the vendor nor the security team.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.linecorp.armeria:armeria"
},
"ranges": [
{
"events": [
{
"introduced": "0.50.0"
},
{
"fixed": "0.97.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16771"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:51:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function\n\n### Impact\n\nString comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the insecure implementation of `equals` method from `java.lang.String`. While this attack is not practically possible, an attacker still has a potential to attack if the victim\u0027s server validates user by using `equals` method.\n\nWe would like to thank @chrsow for pointing out the issue.\n\n## Potentially vulnerable codes\n\nhttps://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/OAuth2Token.java#L54\nhttps://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/BasicToken.java#L64\n\n### Patches\n\nThere are two options to patch this issue.\n\n1. Remove `equals` method; it has been exclusively used for test cases and was never used in any OSS projects that are using Armeria. (But it is worth noting that there are possibilities of closed projects authenticating users by utilizing `equals` method)\n\n2. Use `MessageDigest.isEqual` to compare the credential instead.\n\n### Workarounds\n\n1. Update to the latest version (TBD)\n\n2-1. Users can prevent these vulnerabilities by modifying and implementing timing attack preventions by themselves.\n\n2-2. Precisely speaking, it is possible to compare credentials by securely comparing them after calling methods to directly return the input (namely `Object. accessToken()`, `Object.username()` and `Object.password()`).\n\n### References\n- https://cwe.mitre.org/data/definitions/208.html\n- https://security.stackexchange.com/questions/111040/should-i-worry-about-remote-timing-attacks-on-string-comparison\n\n### Side Note\n\nSince it is a theoretical attack, there is no PoC available from neither the vendor nor the security team.",
"id": "GHSA-24r8-fm9r-cpj2",
"modified": "2024-05-15T06:34:23Z",
"published": "2019-12-05T18:40:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/line/armeria/security/advisories/GHSA-24r8-fm9r-cpj2"
},
{
"type": "WEB",
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16771"
},
{
"type": "WEB",
"url": "https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-24r8-fm9r-cpj2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Low severity vulnerability that affects com.linecorp.armeria:armeria"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.