CVE-2023-51437

描述

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file. Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker. 2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions. For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .

如何修補 CVE-2023-51437

要修補 CVE-2023-51437,請將受影響套件升級到下列已修補版本。

• —升級至 2.11.3 或更新版本

CVE-2023-51437 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.11.3

CVSS 分數

參考連結(10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-51437
• PATCHgithub.com/apache/pulsar
• WEBgithub.com/apache/pulsar/commit/6274fa01a75d74d559bb7e514c970f1fc07d15bc
• WEBgithub.com/apache/pulsar/commit/bc1019fa8ed37b8a4c8bb01e3662c6c015e1bc27