5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
42.8%
Several vulnerabilities have been reported in the time
and chrono
crates related to handling of calls to localtime_r
. You can follow some of the discussions here and here, and the associated CVE here. In our case, the issue with the dependency was flagged by our nightly CI build running cargo-audit
.
The vulnerability leads to a segfault in specific circumstances - namely, when one of a number of functions in the time
crate is called while any other thread is setting an environment variable. Given that in the case of the Parsec service this affects the SPIFFE authenticator, Parsec service users can encounter the issue only when the JWT SVID authenticator is enabled and being used. We have not undergone any manual tracing to understand if the vulnerable methods are called anywhere in our stack, however it seems reasonable to expect that if that were to be the case, the issue would lie in JWT validation (i.e. when handling the dates found within a Json Web Token). JWT validation could thus fail, bringing down the thread in which the request happens. The rest of the threads continue to work. Since the threadpool implementation that we use continues replenishing the pool when one thread panics, the impact on the service should be minimal.
No current patches exist as the problems lie in a number of dependencies that are not under our control (see more details here).
The issue tracking the required change in the rust-spiffe
crate (through which the vulnerable dependencies are imported in Parsec) can be seen here. Once updates happen in our dependency chain that allow us to update beyond the vulnerable versions of time
and chrono
, a new version of the Parsec service will be tagged and released with the appropriate notifications.
The only complete workaround is to use a different type of authenticator with the Parsec service.
As quoted in the initial paragraph, you can find out more information:
chrono
repo issue heretime
repo issue hereIf you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
parsec-service | ge | 0.8.0 | |
parsec-service | lt | 1.1.0 |
github.com/chronotope/chrono/issues/602
github.com/parallaxsecond/parsec
github.com/parallaxsecond/parsec/issues/544
github.com/parallaxsecond/parsec/issues/544#issuecomment-1024185688
github.com/parallaxsecond/parsec/security/advisories/GHSA-45w3-v3g4-54pm
github.com/time-rs/time/issues/293
nvd.nist.gov/vuln/detail/CVE-2020-26235
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
42.8%