You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pulsar.apache.org by PengHui Li <pe...@apache.org> on 2021/05/25 13:26:37 UTC
[SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
CVE-2021-22160 Apache Pulsar Information Disclosure
Severity: High
Versions Affected:
Apache Pulsar < 2.7.1
Description:
If Apache Pulsar is configured to authenticate clients using tokens
based on JSON Web Tokens (JWT), the signature of the token is not
validated if the algorithm of the presented token is set to "none".
This allows an attacker to connect to Pulsar instances as any user
(incl. admins).
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
Upgrade to Apache Pulsar 2.7.1 or later
Credit:
This issue was identified by Peter Stöckli
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Sijie Guo <gu...@gmail.com>.
For people who are following this thread, I want to make a clarification
about this issue (and apologized for not making it clear at the beginning)
This issue will ONLY happen to users who are using the JWT
authentication provider. If you are using other authentication providers,
you are NOT impacted.
If you are using a JWT authentication provider, you don't need to be panic
as well. If you have already configured `roleClaim`, `audienceClaim`, and
`audience` for your JWT auth provider, you are well protected in general.
Because the JWT authentication provider will verify the audience. Unless
the attacker knows all the above fields, they will not able to mock a token
to bypass the JWT auth provider.
Also, the issue can ONLY allow a token to be authenticated with a NONE
signing algorithm. An authenticated user doesn't directly gain any access.
It will still go through the authorization process. Because all the Pulsar
roles are NOT predefined. That Pulsar role names are generated, configured,
and managed by the users. Unless the attacker knows your roles, they won't
be able to mock a token to access your cluster.
So there is a couple of recommendations for everyone here:
1) Make sure you enable the authorization provider to authorize any
connections coming to Pulsar.
2) Your superuser roles are typically configured in the broker conf. Please
don't use those popular strings like `admin`, `superuser` as your superuser
roles. So the attacker won't be able to guess or brute-force your role
names.
3) You SHOULD configure the `roleClaim`, `audienceClaim`, and `audience`.
Let me know if you have any questions. Feel free to ping me if you need any
helps.
- Sijie
On Tue, May 25, 2021 at 6:27 AM PengHui Li <pe...@apache.org> wrote:
> CVE-2021-22160 Apache Pulsar Information Disclosure
>
> Severity: High
>
> Versions Affected:
> Apache Pulsar < 2.7.1
>
> Description:
> If Apache Pulsar is configured to authenticate clients using tokens
> based on JSON Web Tokens (JWT), the signature of the token is not
> validated if the algorithm of the presented token is set to "none".
> This allows an attacker to connect to Pulsar instances as any user
> (incl. admins).
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> Upgrade to Apache Pulsar 2.7.1 or later
>
> Credit:
> This issue was identified by Peter Stöckli
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Sijie Guo <gu...@gmail.com>.
For people who are following this thread, I want to make a clarification
about this issue (and apologized for not making it clear at the beginning)
This issue will ONLY happen to users who are using the JWT
authentication provider. If you are using other authentication providers,
you are NOT impacted.
If you are using a JWT authentication provider, you don't need to be panic
as well. If you have already configured `roleClaim`, `audienceClaim`, and
`audience` for your JWT auth provider, you are well protected in general.
Because the JWT authentication provider will verify the audience. Unless
the attacker knows all the above fields, they will not able to mock a token
to bypass the JWT auth provider.
Also, the issue can ONLY allow a token to be authenticated with a NONE
signing algorithm. An authenticated user doesn't directly gain any access.
It will still go through the authorization process. Because all the Pulsar
roles are NOT predefined. That Pulsar role names are generated, configured,
and managed by the users. Unless the attacker knows your roles, they won't
be able to mock a token to access your cluster.
So there is a couple of recommendations for everyone here:
1) Make sure you enable the authorization provider to authorize any
connections coming to Pulsar.
2) Your superuser roles are typically configured in the broker conf. Please
don't use those popular strings like `admin`, `superuser` as your superuser
roles. So the attacker won't be able to guess or brute-force your role
names.
3) You SHOULD configure the `roleClaim`, `audienceClaim`, and `audience`.
Let me know if you have any questions. Feel free to ping me if you need any
helps.
- Sijie
On Tue, May 25, 2021 at 6:27 AM PengHui Li <pe...@apache.org> wrote:
> CVE-2021-22160 Apache Pulsar Information Disclosure
>
> Severity: High
>
> Versions Affected:
> Apache Pulsar < 2.7.1
>
> Description:
> If Apache Pulsar is configured to authenticate clients using tokens
> based on JSON Web Tokens (JWT), the signature of the token is not
> validated if the algorithm of the presented token is set to "none".
> This allows an attacker to connect to Pulsar instances as any user
> (incl. admins).
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> Upgrade to Apache Pulsar 2.7.1 or later
>
> Credit:
> This issue was identified by Peter Stöckli
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Sijie Guo <gu...@gmail.com>.
Jonathan,
Providing guides to Pulsar users on how to build a 2.6 image rather than
promoting a vendor image is much better.
- Sijie
On Thu, May 27, 2021 at 12:40 PM Jonathan Ellis <jb...@gmail.com> wrote:
> Hi Sijie,
>
> Given the serious nature of this vulnerability, we thought it was best to
> provide Apache Pulsar users with a 2.6 build as quickly as possible, in
> parallel with helping out on an official 2.6.4 release.
>
> On Thu, May 27, 2021 at 2:24 PM Sijie Guo <gu...@gmail.com> wrote:
>
>> Chris - I don't think it is appropriate to promote a vendor image here
>> from
>> a vendor perspective.
>>
>> A better approach is to point out the change has been cherry-picked to
>> branch-2.6 and an ongoing discussion for getting a new bugfix release for
>> branch 2.6. is out.
>>
>> - Sijie
>>
>> On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew <
>> chris.bartholomew@kesque.com> wrote:
>>
>> > For folks on Pulsar 2.6 using token-based authentication, since there
>> is no
>> > 2.6 version with the CVE fix yet available, you are welcome to use our
>> > Pulsar Docker images which contain the fix and which we have confirmed
>> > resolves the CVE:
>> >
>> >
>> > -
>> >
>> > datastax/pulsar:2.6.2_1.0.1
>> > <
>> >
>> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore
>> > >
>> > -
>> >
>> > datastax/pulsar-all:2.6.2_1.0.1
>> > <
>> >
>> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore
>> > >
>> >
>> >
>> > The fix
>> > <
>> >
>> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
>> > >
>> > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking
>> to
>> > help get an official 2.6 release out for this vulnerability fix ASAP.
>> >
>> > Chris
>> >
>> >
>> > On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
>> >
>> > > CVE-2021-22160 Apache Pulsar Information Disclosure
>> > >
>> > > Severity: High
>> > >
>> > > Versions Affected:
>> > > Apache Pulsar < 2.7.1
>> > >
>> > > Description:
>> > > If Apache Pulsar is configured to authenticate clients using tokens
>> > > based on JSON Web Tokens (JWT), the signature of the token is not
>> > > validated if the algorithm of the presented token is set to "none".
>> > > This allows an attacker to connect to Pulsar instances as any user
>> > > (incl. admins).
>> > >
>> > > Mitigation:
>> > > Users of the affected versions should apply one of the following
>> > > mitigations:
>> > > Upgrade to Apache Pulsar 2.7.1 or later
>> > >
>> > > Credit:
>> > > This issue was identified by Peter Stöckli
>> > >
>> >
>>
>
>
> --
> Jonathan Ellis
> co-founder, http://www.datastax.com
> @spyced
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Sijie Guo <gu...@gmail.com>.
Jonathan,
Providing guides to Pulsar users on how to build a 2.6 image rather than
promoting a vendor image is much better.
- Sijie
On Thu, May 27, 2021 at 12:40 PM Jonathan Ellis <jb...@gmail.com> wrote:
> Hi Sijie,
>
> Given the serious nature of this vulnerability, we thought it was best to
> provide Apache Pulsar users with a 2.6 build as quickly as possible, in
> parallel with helping out on an official 2.6.4 release.
>
> On Thu, May 27, 2021 at 2:24 PM Sijie Guo <gu...@gmail.com> wrote:
>
>> Chris - I don't think it is appropriate to promote a vendor image here
>> from
>> a vendor perspective.
>>
>> A better approach is to point out the change has been cherry-picked to
>> branch-2.6 and an ongoing discussion for getting a new bugfix release for
>> branch 2.6. is out.
>>
>> - Sijie
>>
>> On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew <
>> chris.bartholomew@kesque.com> wrote:
>>
>> > For folks on Pulsar 2.6 using token-based authentication, since there
>> is no
>> > 2.6 version with the CVE fix yet available, you are welcome to use our
>> > Pulsar Docker images which contain the fix and which we have confirmed
>> > resolves the CVE:
>> >
>> >
>> > -
>> >
>> > datastax/pulsar:2.6.2_1.0.1
>> > <
>> >
>> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore
>> > >
>> > -
>> >
>> > datastax/pulsar-all:2.6.2_1.0.1
>> > <
>> >
>> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore
>> > >
>> >
>> >
>> > The fix
>> > <
>> >
>> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
>> > >
>> > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking
>> to
>> > help get an official 2.6 release out for this vulnerability fix ASAP.
>> >
>> > Chris
>> >
>> >
>> > On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
>> >
>> > > CVE-2021-22160 Apache Pulsar Information Disclosure
>> > >
>> > > Severity: High
>> > >
>> > > Versions Affected:
>> > > Apache Pulsar < 2.7.1
>> > >
>> > > Description:
>> > > If Apache Pulsar is configured to authenticate clients using tokens
>> > > based on JSON Web Tokens (JWT), the signature of the token is not
>> > > validated if the algorithm of the presented token is set to "none".
>> > > This allows an attacker to connect to Pulsar instances as any user
>> > > (incl. admins).
>> > >
>> > > Mitigation:
>> > > Users of the affected versions should apply one of the following
>> > > mitigations:
>> > > Upgrade to Apache Pulsar 2.7.1 or later
>> > >
>> > > Credit:
>> > > This issue was identified by Peter Stöckli
>> > >
>> >
>>
>
>
> --
> Jonathan Ellis
> co-founder, http://www.datastax.com
> @spyced
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Jonathan Ellis <jb...@gmail.com>.
Hi Sijie,
Given the serious nature of this vulnerability, we thought it was best to
provide Apache Pulsar users with a 2.6 build as quickly as possible, in
parallel with helping out on an official 2.6.4 release.
On Thu, May 27, 2021 at 2:24 PM Sijie Guo <gu...@gmail.com> wrote:
> Chris - I don't think it is appropriate to promote a vendor image here from
> a vendor perspective.
>
> A better approach is to point out the change has been cherry-picked to
> branch-2.6 and an ongoing discussion for getting a new bugfix release for
> branch 2.6. is out.
>
> - Sijie
>
> On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew <
> chris.bartholomew@kesque.com> wrote:
>
> > For folks on Pulsar 2.6 using token-based authentication, since there is
> no
> > 2.6 version with the CVE fix yet available, you are welcome to use our
> > Pulsar Docker images which contain the fix and which we have confirmed
> > resolves the CVE:
> >
> >
> > -
> >
> > datastax/pulsar:2.6.2_1.0.1
> > <
> >
> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore
> > >
> > -
> >
> > datastax/pulsar-all:2.6.2_1.0.1
> > <
> >
> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore
> > >
> >
> >
> > The fix
> > <
> >
> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
> > >
> > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking
> to
> > help get an official 2.6 release out for this vulnerability fix ASAP.
> >
> > Chris
> >
> >
> > On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
> >
> > > CVE-2021-22160 Apache Pulsar Information Disclosure
> > >
> > > Severity: High
> > >
> > > Versions Affected:
> > > Apache Pulsar < 2.7.1
> > >
> > > Description:
> > > If Apache Pulsar is configured to authenticate clients using tokens
> > > based on JSON Web Tokens (JWT), the signature of the token is not
> > > validated if the algorithm of the presented token is set to "none".
> > > This allows an attacker to connect to Pulsar instances as any user
> > > (incl. admins).
> > >
> > > Mitigation:
> > > Users of the affected versions should apply one of the following
> > > mitigations:
> > > Upgrade to Apache Pulsar 2.7.1 or later
> > >
> > > Credit:
> > > This issue was identified by Peter Stöckli
> > >
> >
>
--
Jonathan Ellis
co-founder, http://www.datastax.com
@spyced
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Jonathan Ellis <jb...@gmail.com>.
Hi Sijie,
Given the serious nature of this vulnerability, we thought it was best to
provide Apache Pulsar users with a 2.6 build as quickly as possible, in
parallel with helping out on an official 2.6.4 release.
On Thu, May 27, 2021 at 2:24 PM Sijie Guo <gu...@gmail.com> wrote:
> Chris - I don't think it is appropriate to promote a vendor image here from
> a vendor perspective.
>
> A better approach is to point out the change has been cherry-picked to
> branch-2.6 and an ongoing discussion for getting a new bugfix release for
> branch 2.6. is out.
>
> - Sijie
>
> On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew <
> chris.bartholomew@kesque.com> wrote:
>
> > For folks on Pulsar 2.6 using token-based authentication, since there is
> no
> > 2.6 version with the CVE fix yet available, you are welcome to use our
> > Pulsar Docker images which contain the fix and which we have confirmed
> > resolves the CVE:
> >
> >
> > -
> >
> > datastax/pulsar:2.6.2_1.0.1
> > <
> >
> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore
> > >
> > -
> >
> > datastax/pulsar-all:2.6.2_1.0.1
> > <
> >
> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore
> > >
> >
> >
> > The fix
> > <
> >
> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
> > >
> > has been committed to branch-2.6 (by Enrico). We (DataStax) are looking
> to
> > help get an official 2.6 release out for this vulnerability fix ASAP.
> >
> > Chris
> >
> >
> > On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
> >
> > > CVE-2021-22160 Apache Pulsar Information Disclosure
> > >
> > > Severity: High
> > >
> > > Versions Affected:
> > > Apache Pulsar < 2.7.1
> > >
> > > Description:
> > > If Apache Pulsar is configured to authenticate clients using tokens
> > > based on JSON Web Tokens (JWT), the signature of the token is not
> > > validated if the algorithm of the presented token is set to "none".
> > > This allows an attacker to connect to Pulsar instances as any user
> > > (incl. admins).
> > >
> > > Mitigation:
> > > Users of the affected versions should apply one of the following
> > > mitigations:
> > > Upgrade to Apache Pulsar 2.7.1 or later
> > >
> > > Credit:
> > > This issue was identified by Peter Stöckli
> > >
> >
>
--
Jonathan Ellis
co-founder, http://www.datastax.com
@spyced
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Sijie Guo <gu...@gmail.com>.
Chris - I don't think it is appropriate to promote a vendor image here from
a vendor perspective.
A better approach is to point out the change has been cherry-picked to
branch-2.6 and an ongoing discussion for getting a new bugfix release for
branch 2.6. is out.
- Sijie
On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew <
chris.bartholomew@kesque.com> wrote:
> For folks on Pulsar 2.6 using token-based authentication, since there is no
> 2.6 version with the CVE fix yet available, you are welcome to use our
> Pulsar Docker images which contain the fix and which we have confirmed
> resolves the CVE:
>
>
> -
>
> datastax/pulsar:2.6.2_1.0.1
> <
> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore
> >
> -
>
> datastax/pulsar-all:2.6.2_1.0.1
> <
> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore
> >
>
>
> The fix
> <
> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
> >
> has been committed to branch-2.6 (by Enrico). We (DataStax) are looking to
> help get an official 2.6 release out for this vulnerability fix ASAP.
>
> Chris
>
>
> On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
>
> > CVE-2021-22160 Apache Pulsar Information Disclosure
> >
> > Severity: High
> >
> > Versions Affected:
> > Apache Pulsar < 2.7.1
> >
> > Description:
> > If Apache Pulsar is configured to authenticate clients using tokens
> > based on JSON Web Tokens (JWT), the signature of the token is not
> > validated if the algorithm of the presented token is set to "none".
> > This allows an attacker to connect to Pulsar instances as any user
> > (incl. admins).
> >
> > Mitigation:
> > Users of the affected versions should apply one of the following
> > mitigations:
> > Upgrade to Apache Pulsar 2.7.1 or later
> >
> > Credit:
> > This issue was identified by Peter Stöckli
> >
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Sijie Guo <gu...@gmail.com>.
Chris - I don't think it is appropriate to promote a vendor image here from
a vendor perspective.
A better approach is to point out the change has been cherry-picked to
branch-2.6 and an ongoing discussion for getting a new bugfix release for
branch 2.6. is out.
- Sijie
On Thu, May 27, 2021 at 12:15 PM Chris Bartholomew <
chris.bartholomew@kesque.com> wrote:
> For folks on Pulsar 2.6 using token-based authentication, since there is no
> 2.6 version with the CVE fix yet available, you are welcome to use our
> Pulsar Docker images which contain the fix and which we have confirmed
> resolves the CVE:
>
>
> -
>
> datastax/pulsar:2.6.2_1.0.1
> <
> https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore
> >
> -
>
> datastax/pulsar-all:2.6.2_1.0.1
> <
> https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore
> >
>
>
> The fix
> <
> https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
> >
> has been committed to branch-2.6 (by Enrico). We (DataStax) are looking to
> help get an official 2.6 release out for this vulnerability fix ASAP.
>
> Chris
>
>
> On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
>
> > CVE-2021-22160 Apache Pulsar Information Disclosure
> >
> > Severity: High
> >
> > Versions Affected:
> > Apache Pulsar < 2.7.1
> >
> > Description:
> > If Apache Pulsar is configured to authenticate clients using tokens
> > based on JSON Web Tokens (JWT), the signature of the token is not
> > validated if the algorithm of the presented token is set to "none".
> > This allows an attacker to connect to Pulsar instances as any user
> > (incl. admins).
> >
> > Mitigation:
> > Users of the affected versions should apply one of the following
> > mitigations:
> > Upgrade to Apache Pulsar 2.7.1 or later
> >
> > Credit:
> > This issue was identified by Peter Stöckli
> >
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Chris Bartholomew <ch...@kesque.com>.
For folks on Pulsar 2.6 using token-based authentication, since there is no
2.6 version with the CVE fix yet available, you are welcome to use our
Pulsar Docker images which contain the fix and which we have confirmed
resolves the CVE:
-
datastax/pulsar:2.6.2_1.0.1
<https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore>
-
datastax/pulsar-all:2.6.2_1.0.1
<https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore>
The fix
<https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6>
has been committed to branch-2.6 (by Enrico). We (DataStax) are looking to
help get an official 2.6 release out for this vulnerability fix ASAP.
Chris
On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
> CVE-2021-22160 Apache Pulsar Information Disclosure
>
> Severity: High
>
> Versions Affected:
> Apache Pulsar < 2.7.1
>
> Description:
> If Apache Pulsar is configured to authenticate clients using tokens
> based on JSON Web Tokens (JWT), the signature of the token is not
> validated if the algorithm of the presented token is set to "none".
> This allows an attacker to connect to Pulsar instances as any user
> (incl. admins).
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> Upgrade to Apache Pulsar 2.7.1 or later
>
> Credit:
> This issue was identified by Peter Stöckli
>
Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm
Posted by Chris Bartholomew <ch...@kesque.com>.
For folks on Pulsar 2.6 using token-based authentication, since there is no
2.6 version with the CVE fix yet available, you are welcome to use our
Pulsar Docker images which contain the fix and which we have confirmed
resolves the CVE:
-
datastax/pulsar:2.6.2_1.0.1
<https://hub.docker.com/layers/datastax/pulsar/2.6.2_1.0.1/images/sha256-598c4a99f4716de43838657b741b92f0310cea8539b9538659d4657ef8aaee17?context=explore>
-
datastax/pulsar-all:2.6.2_1.0.1
<https://hub.docker.com/layers/datastax/pulsar-all/2.6.2_1.0.1/images/sha256-dfb4fa500372c17e009427322fd84a6302d7a4bf716cd511c103449756bad79f?context=explore>
The fix
<https://github.com/apache/pulsar/commit/67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6>
has been committed to branch-2.6 (by Enrico). We (DataStax) are looking to
help get an official 2.6 release out for this vulnerability fix ASAP.
Chris
On Tue, 25 May 2021 at 09:27, PengHui Li <pe...@apache.org> wrote:
> CVE-2021-22160 Apache Pulsar Information Disclosure
>
> Severity: High
>
> Versions Affected:
> Apache Pulsar < 2.7.1
>
> Description:
> If Apache Pulsar is configured to authenticate clients using tokens
> based on JSON Web Tokens (JWT), the signature of the token is not
> validated if the algorithm of the presented token is set to "none".
> This allows an attacker to connect to Pulsar instances as any user
> (incl. admins).
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> Upgrade to Apache Pulsar 2.7.1 or later
>
> Credit:
> This issue was identified by Peter Stöckli
>