[ 
https://issues.apache.org/jira/browse/RANGER-5693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramachandran Krishnan updated RANGER-5693:
------------------------------------------
    Summary: RangerJwtAuthHandler logs full JWT bearer token on validation 
failure  (was: RangerJwtAuthHandler logs full JWT bearer token on validation 
failure (CWE-532))

> RangerJwtAuthHandler logs full JWT bearer token on validation failure
> ---------------------------------------------------------------------
>
>                 Key: RANGER-5693
>                 URL: https://issues.apache.org/jira/browse/RANGER-5693
>             Project: Ranger
>          Issue Type: Task
>          Components: Ranger, ranger-authn
>    Affects Versions: 2.8.0
>            Reporter: Ramachandran Krishnan
>            Assignee: Ramachandran Krishnan
>            Priority: Major
>             Fix For: 3.0.0, 2.9.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h2. Summary
> Apache Ranger's JWT authentication handler ({{{}RangerJwtAuthHandler{}}}) 
> logs the full
> serialized JWT bearer token (header.payload.signature) at WARN level when 
> token
> validation fails. For some failure modes—especially audience mismatch after a
> valid signature and unexpired token—the logged credential remains live and 
> can be
> replayed against another Ranger JWT endpoint that trusts the same signing 
> material
> and accepts the token's audience.
> h2. Affected component
>  * Module: {{ranger-authn}}
>  * Class: {{org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler}}
>  * Method: {{authenticate(String jwtAuthHeader)}} — validation-failure WARN 
> path
>  * Also used via: {{RangerDefaultJwtAuthHandler}} (Admin, PDP, audit paths, 
> etc.)
> h2. Affected versions
> Verified on Apache Ranger 2.8.0. Same pattern present on ranger-2.8, 
> ranger-2.9,
> and master at time of report.
> h2. Problem
> On validation failure, the handler logs:
> {{jwtToken.serialize()}}
> which writes the complete bearer credential to operational logs.
> {{validateToken()}} checks claims in order: expiration → signature → audience 
> → issuer.
> A cryptographically valid, unexpired token rejected only for audience 
> mismatch still
> hits the WARN branch and is logged in full.
> h2. Impact
> An actor with read access to Ranger operational logs (operators, log 
> aggregation,
> log storage) can recover a live JWT from a WARN entry and replay it against 
> another
> Ranger JWT consumer configured for that token's audience, authenticating as 
> the
> token subject.
> This is not limited to malformed or unsigned tokens; reporter verified with a 
> valid
> RS256-signed JWT and future expiration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to