Crispy-fried-chicken opened a new issue, #21053: URL: https://github.com/apache/pulsar/issues/21053
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Version https://github.com/apache/pulsar/commit/e951cd05268bd4e01fd1ab161fa2df65d219c8fc ### Minimal reproduce step I cannot be reproduced stably ### What did you expect to see? During signature verification, no matter whether the verification is correct or not, the time spent should be the same ### What did you see instead? The time spent in signature verification will be positively correlated with the correct substring length. ### Anything else? Hi there, I may have discovered a method in the newest version of [pulsar](https://github.com/apache/pulsar), which has "Observable Timing Discrepancy" vulnerability. The vulnerability is located in the method `org.apache.pulsar.broker.authentication.SaslRoleTokenSigner.verifyAndExtract(String signedStr)` . The vulnerability bears similarities to a recent CVE disclosure *CVE-2020-1926* in the *"apache/hive"* project. The source vulnerability information is as follows: > **Vulnerability Detail:** > > **CVE Identifier:** CVE-2020-1926 > > **Description**:Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8. > > **Reference:**https://nvd.nist.gov/vuln/detail/CVE-2020-1926 > > **Patch**: https://github.com/apache/hive/commit/ee5a6be81a87bb21b3779edad6e61b67b365997b **Vulnerability Description**: The vulnerability exists within the String verifyAndExtract(String signedStr) method of the org.apache.pulsar.broker.authentication.SaslRoleTokenSigner class. It is responsible for authenticating and extracting SaslRoleToken. SaslRoleToken is a token used for authentication and authorization, which contains a signed string of information about roles and permissions.**But the authentication snippet is similar to the vulnerable snippet for CVE-2020-1926 and may have the same consequence as CVE-2020-1926, where isvulnerable to timing attacks.** Therefore, maybe you need to fix the vulnerability with much the same fix code as the CVE-2020-1926 patch. Considering the potential riskes it may have, I am willing to cooperate with your to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me. ### Are you willing to submit a PR? - [X] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
