CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
53.4%
String comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the insecure implementation of equals
method from java.lang.String
. While this attack is not practically possible, an attacker still has a potential to attack if the victim’s server validates user by using equals
method.
We would like to thank @chrsow for pointing out the issue.
https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/OAuth2Token.java#L54
https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/BasicToken.java#L64
There are two options to patch this issue.
Remove equals
method; it has been exclusively used for test cases and was never used in any OSS projects that are using Armeria. (But it is worth noting that there are possibilities of closed projects authenticating users by utilizing equals
method)
Use MessageDigest.isEqual
to compare the credential instead.
2-1. Users can prevent these vulnerabilities by modifying and implementing timing attack preventions by themselves.
2-2. Precisely speaking, it is possible to compare credentials by securely comparing them after calling methods to directly return the input (namely Object. accessToken()
, Object.username()
and Object.password()
).
Since it is a theoretical attack, there is no PoC available from neither the vendor nor the security team.
Vendor | Product | Version | CPE |
---|---|---|---|
com.linecorp.armeria | armeria | * | cpe:2.3:a:com.linecorp.armeria:armeria:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
53.4%