[ 
https://issues.apache.org/jira/browse/RANGER-5693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramachandran Krishnan updated RANGER-5693:
------------------------------------------
    Description: 
h2. Summary

Apache Ranger's JWT authentication handler ({{{}RangerJwtAuthHandler{}}}) logs 
the full
serialized JWT bearer token (header.payload.signature) at WARN level when token
validation fails. For some failure modes—especially audience mismatch after a
valid signature and unexpired token—the logged credential remains live and can 
be
replayed against another Ranger JWT endpoint that trusts the same signing 
material
and accepts the token's audience.
h2. Affected component
 * Module: {{ranger-authn}}
 * Class: {{org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler}}
 * Method: {{authenticate(String jwtAuthHeader)}} — validation-failure WARN path
 * Also used via: {{RangerDefaultJwtAuthHandler}} (Admin, PDP, audit paths, 
etc.)

h2. Affected versions

Verified on Apache Ranger 2.8.0. Same pattern present on ranger-2.8, ranger-2.9,
and master at time of report.
h2. Problem

On validation failure, the handler logs:
{{jwtToken.serialize()}}
which writes the complete bearer credential to operational logs.

{{validateToken()}} checks claims in order: expiration → signature → audience → 
issuer.
A cryptographically valid, unexpired token rejected only for audience mismatch 
still
hits the WARN branch and is logged in full.
h2. Impact

An actor with read access to Ranger operational logs (operators, log 
aggregation,
log storage) can recover a live JWT from a WARN entry and replay it against 
another
Ranger JWT consumer configured for that token's audience, authenticating as the
token subject.

This is not limited to malformed or unsigned tokens; reporter verified with a 
valid
RS256-signed JWT and future expiration.

  was:
h2. Summary

Apache Ranger's JWT authentication handler ({{{}RangerJwtAuthHandler{}}}) logs 
the full
serialized JWT bearer token (header.payload.signature) at WARN level when token
validation fails. For some failure modes—especially audience mismatch after a
valid signature and unexpired token—the logged credential remains live and can 
be
replayed against another Ranger JWT endpoint that trusts the same signing 
material
and accepts the token's audience.
h2. Affected component
 * Module: {{ranger-authn}}
 * Class: {{org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler}}
 * Method: {{authenticate(String jwtAuthHeader)}} — validation-failure WARN path
 * Also used via: {{RangerDefaultJwtAuthHandler}} (Admin, PDP, audit paths, 
etc.)

h2. Affected versions

Verified on Apache Ranger 2.8.0. Same pattern present on ranger-2.8, ranger-2.9,
and master at time of report.
h2. Problem

On validation failure, the handler logs:
{{jwtToken.serialize()}}
which writes the complete bearer credential to operational logs.

{{validateToken()}} checks claims in order: expiration → signature → audience → 
issuer.
A cryptographically valid, unexpired token rejected only for audience mismatch 
still
hits the WARN branch and is logged in full.
h2. Impact

An actor with read access to Ranger operational logs (operators, log 
aggregation,
log storage) can recover a live JWT from a WARN entry and replay it against 
another
Ranger JWT consumer configured for that token's audience, authenticating as the
token subject.

This is not limited to malformed or unsigned tokens; reporter verified with a 
valid
RS256-signed JWT and future expiration.
h2. Root cause

{{RangerJwtAuthHandler.authenticate()}} logs the raw serialized token when
{{validateToken()}} returns false (historically around line 128 on master).
h2. Proposed fix

Do not log the raw bearer token. On validation failure, log only non-sensitive
metadata needed for diagnosis, for example:
 * subject, audience, issuer
 * keyId (JWS header kid)
 * jwtId
 * tokenHash (SHA-256 of bearer string for log correlation only)
 * optional: failure reason (expired / signature / audience / issuer)

Example log line after fix:
{{JWT validation failed (subject=..., audience=..., issuer=..., keyId=..., 
jwtId=..., tokenHash=...)}}
h2. Backport targets
 *  master / 3.0
 *  ranger-2.9


> RangerJwtAuthHandler logs full JWT bearer token on validation failure 
> (CWE-532)
> -------------------------------------------------------------------------------
>
>                 Key: RANGER-5693
>                 URL: https://issues.apache.org/jira/browse/RANGER-5693
>             Project: Ranger
>          Issue Type: Task
>          Components: Ranger, ranger-authn
>    Affects Versions: 2.8.0
>            Reporter: Ramachandran Krishnan
>            Assignee: Ramachandran Krishnan
>            Priority: Major
>             Fix For: 3.0.0, 2.9.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h2. Summary
> Apache Ranger's JWT authentication handler ({{{}RangerJwtAuthHandler{}}}) 
> logs the full
> serialized JWT bearer token (header.payload.signature) at WARN level when 
> token
> validation fails. For some failure modes—especially audience mismatch after a
> valid signature and unexpired token—the logged credential remains live and 
> can be
> replayed against another Ranger JWT endpoint that trusts the same signing 
> material
> and accepts the token's audience.
> h2. Affected component
>  * Module: {{ranger-authn}}
>  * Class: {{org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler}}
>  * Method: {{authenticate(String jwtAuthHeader)}} — validation-failure WARN 
> path
>  * Also used via: {{RangerDefaultJwtAuthHandler}} (Admin, PDP, audit paths, 
> etc.)
> h2. Affected versions
> Verified on Apache Ranger 2.8.0. Same pattern present on ranger-2.8, 
> ranger-2.9,
> and master at time of report.
> h2. Problem
> On validation failure, the handler logs:
> {{jwtToken.serialize()}}
> which writes the complete bearer credential to operational logs.
> {{validateToken()}} checks claims in order: expiration → signature → audience 
> → issuer.
> A cryptographically valid, unexpired token rejected only for audience 
> mismatch still
> hits the WARN branch and is logged in full.
> h2. Impact
> An actor with read access to Ranger operational logs (operators, log 
> aggregation,
> log storage) can recover a live JWT from a WARN entry and replay it against 
> another
> Ranger JWT consumer configured for that token's audience, authenticating as 
> the
> token subject.
> This is not limited to malformed or unsigned tokens; reporter verified with a 
> valid
> RS256-signed JWT and future expiration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to