CVE-2018-8023Sensitive Information Exposure in Apache Mesos

CWE-200Sensitive Information ExposureCWE-385Covert Timing Channel7 documents6 sources
Severity
5.9MEDIUMNVD
EPSS
0.8%
top 26.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache MesosApache Software Foundation Apache Mesos
Timeline
PublishedSep 21
Latest updateOct 17

Description

Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation fun

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDapache/mesos< 1.4.2+3
CVEListV5apache_software_foundation/apache_mesos1.5.0, 1.5.1, 1.6.0, versions prior to 1.4.2+2

🔴Vulnerability Details

3
OSV
Moderate severity vulnerability that affects org.apache.mesos:mesos2018-10-17
GHSA
Moderate severity vulnerability that affects org.apache.mesos:mesos2018-10-17
CVEList
CVE-2018-8023: Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT)2018-09-21

📋Vendor Advisories

1
Red Hat
mesos: Exposure of HMAC value via timing vulnerability in JWT validation2018-09-21

💬Community

2
Bugzilla
CVE-2018-8023 mesos: Exposure of HMAC value via timing vulnerability in JWT validation2018-09-25
Bugzilla
CVE-2018-8023 mesos: Exposure of HMAC value via timing vulnerability in JWT validation [fedora-all]2018-09-25
CVE-2018-8023 — Sensitive Information Exposure | cvebase