Re: CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.

[Ariel Zelivansky <ariel.zelivans () gmail com>]

Hi,

I couldn't find the fix for this in the mesos repository and it is not
documented in the CHANGELOG, could someone direct me to the fixing
commit/patch?

Thanks
Ariel

On Fri, Sep 21, 2018 at 1:50 PM, Alex R <alexr () apache org> wrote:
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Mesos 1.4.0 to 1.6.0
> The unsupported Apache Mesos pre-1.4.0 releases may be also affected.
>
> Description:
> Apache Mesos can be configured to require authentication to call the
> Executor HTTP API using JSON Web Token (JWT). The comparison of the
> generated HMAC value against the provided signature in the JWT
> implementation used is vulnerable to a timing attack because instead
> of a constant-time string comparison routine a standard `==` operator
> has been used. A malicious actor can therefore abuse the timing
> difference of when the JWT validation function returns to reveal the
> correct HMAC value.
>
> Mitigation:
> pre-1.4.x users should upgrade to at least 1.4.2
> 1.4.x users should upgrade to 1.4.2
> 1.5.x users should upgrade to 1.5.2
> 1.6.0 users should upgrade to 1.6.1
> 1.7.0-dev users should obtain Mesos 1.7.0
>
> Credit:
> This issue was discovered by Terry Chia (Ayrx).
>
> Alex on behalf of Mesos PMC