We use cookies to improve your experience on our site.
AVID-2026-R1303
Description
Apache Pulsar: Timing attack in SASL token signature verification (CVE-2023-51437)
Details
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification.
Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the saslJaasServerRoleTokenSignerSecretPath file.
Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker.
2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions.
For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .
Reason for inclusion in AVID: CVE-2023-51437 describes a timing-attack vulnerability in Apache Pulsar’s SASL token verification that can allow forging SASL tokens, impacting multiple Pulsar components (Broker, Proxy, Websocket Proxy, Function Worker). It is a software vulnerability with clear upgrade guidance and CVSS high severity. Apache Pulsar is a widely used component in data pipelines and AI deployment stacks for streaming/ingest-serve workloads; thus, this vulnerability is relevant to the software supply chain of general-purpose AI systems. Therefore, it should be kept for AVID curation as a vulnerability in the AI software supply chain.
References
- NVD entry
- https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5
- https://www.openwall.com/lists/oss-security/2024/02/07/1
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Pulsar |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Base Score | 7.4 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-203 | CWE-203 Observable Discrepancy |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-02-07
- Version: 0.3.3
- AVID Entry