#VU31202 Information disclosure in Mesos - CVE-2018-8023
Published: September 21, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31202
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-8023
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Mesos
Mesos
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Remediation
Install update from vendor's website.