Vulnerability Description
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file. Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker. 2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions. For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Pulsar | <= 2.10.5 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5Issue TrackingVendor Advisory
- https://www.openwall.com/lists/oss-security/2024/02/07/1
- https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5Issue TrackingVendor Advisory
- https://www.openwall.com/lists/oss-security/2024/02/07/1
FAQ
What is CVE-2023-51437?
CVE-2023-51437 is a vulnerability with a CVSS score of 7.4 (HIGH). Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended ...
How severe is CVE-2023-51437?
CVE-2023-51437 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-51437?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Pulsar.