[
https://issues.apache.org/jira/browse/RANGER-5693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramachandran Krishnan updated RANGER-5693:
------------------------------------------
Summary: RangerJwtAuthHandler logs full JWT bearer token on validation
failure (was: RangerJwtAuthHandler logs full JWT bearer token on validation
failure (CWE-532))
> RangerJwtAuthHandler logs full JWT bearer token on validation failure
> ---------------------------------------------------------------------
>
> Key: RANGER-5693
> URL: https://issues.apache.org/jira/browse/RANGER-5693
> Project: Ranger
> Issue Type: Task
> Components: Ranger, ranger-authn
> Affects Versions: 2.8.0
> Reporter: Ramachandran Krishnan
> Assignee: Ramachandran Krishnan
> Priority: Major
> Fix For: 3.0.0, 2.9.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> h2. Summary
> Apache Ranger's JWT authentication handler ({{{}RangerJwtAuthHandler{}}})
> logs the full
> serialized JWT bearer token (header.payload.signature) at WARN level when
> token
> validation fails. For some failure modes—especially audience mismatch after a
> valid signature and unexpired token—the logged credential remains live and
> can be
> replayed against another Ranger JWT endpoint that trusts the same signing
> material
> and accepts the token's audience.
> h2. Affected component
> * Module: {{ranger-authn}}
> * Class: {{org.apache.ranger.authz.handler.jwt.RangerJwtAuthHandler}}
> * Method: {{authenticate(String jwtAuthHeader)}} — validation-failure WARN
> path
> * Also used via: {{RangerDefaultJwtAuthHandler}} (Admin, PDP, audit paths,
> etc.)
> h2. Affected versions
> Verified on Apache Ranger 2.8.0. Same pattern present on ranger-2.8,
> ranger-2.9,
> and master at time of report.
> h2. Problem
> On validation failure, the handler logs:
> {{jwtToken.serialize()}}
> which writes the complete bearer credential to operational logs.
> {{validateToken()}} checks claims in order: expiration → signature → audience
> → issuer.
> A cryptographically valid, unexpired token rejected only for audience
> mismatch still
> hits the WARN branch and is logged in full.
> h2. Impact
> An actor with read access to Ranger operational logs (operators, log
> aggregation,
> log storage) can recover a live JWT from a WARN entry and replay it against
> another
> Ranger JWT consumer configured for that token's audience, authenticating as
> the
> token subject.
> This is not limited to malformed or unsigned tokens; reporter verified with a
> valid
> RS256-signed JWT and future expiration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)