Timing Discrepancy Vulnerability Affects Pulsar Users
CVE-2023-51437

7.4HIGH

Key Information:

Vendor: Apache
Status: Apache Pulsar
Vendor: CVE Published:; 7 February 2024

Summary

The Apache Pulsar SASL Authentication Provider contains an observable timing discrepancy vulnerability that can be exploited to forge SASL Role Tokens. This vulnerability allows attackers to bypass signature verification, posing a significant security risk. To mitigate this vulnerability, it is imperative for users to upgrade to respective patched versions: 2.11.3, 3.0.2, or 3.1.1, depending on their current version. Additionally, users should update the secret configured in the saslJaasServerRoleTokenSignerSecretPath file to enhance security. All components running affected versions of the SASL Authentication Provider, including the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker, are vulnerable.

Affected Version(s)

Apache Pulsar 0 <= 2.10.5

Apache Pulsar 2.11.0 <= 2.11.2

Apache Pulsar 3.0.0 <= 3.0.1

References

https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2nc...

vendor-advisory

https://www.openwall.com/lists/oss-security/2024/02/07/1

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 7, 2024
Vulnerability Reserved
Dec 19, 2023

Credit

Yiheng Cao

Chenhao Lu

Kaifeng Huang