logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2019-16771 com.linecorp.armeria:armeria

Package

Manager: maven
Name: com.linecorp.armeria:armeria
Vulnerable Version: >=0.50.0 <0.97.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00416 pctl0.60882

Details

Low severity vulnerability that affects com.linecorp.armeria:armeria ## Multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function ### Impact String comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the insecure implementation of `equals` method from `java.lang.String`. While this attack is not practically possible, an attacker still has a potential to attack if the victim's server validates user by using `equals` method. We would like to thank @chrsow for pointing out the issue. ## Potentially vulnerable codes https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/OAuth2Token.java#L54 https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/BasicToken.java#L64 ### Patches There are two options to patch this issue. 1. Remove `equals` method; it has been exclusively used for test cases and was never used in any OSS projects that are using Armeria. (But it is worth noting that there are possibilities of closed projects authenticating users by utilizing `equals` method) 2. Use `MessageDigest.isEqual` to compare the credential instead. ### Workarounds 1. Update to the latest version (TBD) 2-1. Users can prevent these vulnerabilities by modifying and implementing timing attack preventions by themselves. 2-2. Precisely speaking, it is possible to compare credentials by securely comparing them after calling methods to directly return the input (namely `Object. accessToken()`, `Object.username()` and `Object.password()`). ### References - https://cwe.mitre.org/data/definitions/208.html - https://security.stackexchange.com/questions/111040/should-i-worry-about-remote-timing-attacks-on-string-comparison ### Side Note Since it is a theoretical attack, there is no PoC available from neither the vendor nor the security team.

Metadata

Created: 2019-12-05T18:40:51Z
Modified: 2024-05-15T06:34:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-24r8-fm9r-cpj2/GHSA-24r8-fm9r-cpj2.json
CWE IDs: ["CWE-113"]
Alternative ID: GHSA-24r8-fm9r-cpj2
Finding: F184
Auto approve: 1