Apache Pulsar bug allowed account takeovers in certain configurations

Ben Dickson Jun 02, 2021 at 11:43 UTC

Updated: 02 June 2021 at 14:32 UTC

Software Maintainers Minimize Real Impact of JWT Vulnerability

The Apache Pulsar server messaging and data exchange platform fixed a security bug that could allow an attacker to hijack accounts configured in a specific way.

A draw request on Apache Pulsar GitHub reads: “If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the token signature is not validated if the token algorithm presented is set to “none”. This allows an attacker to connect to Pulsar instances as a user (including administrators).

JWT is an open standard for the secure transmission of information between parties in JSON format. One of the common uses of JWT is to authenticate and authorize users.

Identification required

The bug was originally reported as high gravity. But Sijie Guo, a member of the Apache Pulsar Project (PMC) management committee, said The daily sip that the actual impact of the bug is minimal.

“The problem can ONLY allow a token to be authenticated with a NONE signature algorithm,” Guo explained.

“An authenticated user does not have direct access. It will still go through the authorization process, as not all Pulsar roles are predefined.

He added, “Pulsar role names are generated, configured and managed by users. Unless the attacker knows your roles, they won’t be able to mock a token to gain access to your cluster. “

Learn about the latest news on security vulnerabilities

Guo also said that JWT is not the default authentication mode for Pulsar.

“Pulsar provides a pluggable authentication plugin to support different authentication mechanisms,” he said.

“It currently supports mutual-TLS, OAuth2, Athenz, Kerberos and JWT. mTLS and OAuth2 are the most popular. JWT is just one of them.

Regarding admin users, Guo said attackers will need to know the username before they can hack them.

“The superuser and administrator roles are not predefined,” Guo said. “They need to be generated, configured and managed by Pulsar users. “

Guo also said that a successful exploit – even on an administrator user – would not result in more severe attacks on the host system and would remain limited to creating and deleting topics in a given tenant in a Pulsar cluster.

ADVISED Overwolf game development platform fixes bug that could allow RCE via chained exploit

Nonetheless, Guo agrees that there should be more caution when incorporating new features into the app. “It’s important to read the documentation on the third-party library we choose and use the correct method to parse the JWT token,” he said.

Peter Stöckli, the security researcher who discovered and reported the bug, said The daily sip, “The developers shouldn’t be too blamed here. They did not explicitly specify that “none” can be used as an algorithm.

“Basically they called the wrong method on the JWT library they used. The JWT library cannot be faulted too much, as using the ‘none’ algorithm is part of the standard (unsafe JWTs).

The bug, fixed in the latest version of Pulsar (2.7.1), existed since version 2.5.1, which introduced the JWT authentication provider option.

YOU MAY ALSO LIKE Klarna Privacy Clanger blamed on buggy software update

Source link

About Brian Steele

Brian Steele

Check Also

Statistics suggest that many Brits don’t want it or think it’s a terrible idea • The Register

Police and anti-lockdown protesters clash outside the Houses of Parliament with spirits seething in Westminster …

Leave a Reply

Your email address will not be published. Required fields are marked *