Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Related Vulnerabilities: CVE-2019-10071   CVE-2014-1972  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#20">By Date</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#20">By Thread</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2019-10071: Timing Attack in HMAC Verification in Apache	Tapestry</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: David Tomaschik via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Fri, 23 Aug 2019 11:01:43 -0700


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Affected versions:
- Apache Tapestry 5.3.6 through current releases.

Description:
Apache Tapestry uses HMACs to verify the integrity of objects stored on the
client side.  This was added to address the Java deserialization
vulnerability
disclosed in CVE-2014-1972.  In the fix for the previous vulnerability, the
HMACs were compared by string comparison, which is known to be vulnerable to
timing attacks.

Mitigation:
No new release of Tapestry has occurred since the issue was reported.
Affected
organizations may want to consider locally applying commit
d3928ad44714b949d247af2652c84dae3c27e1b1.

Timeline:
- 2019-03-12: Issue discovered.
- 2019-03-13: Issue reported to security () apache org.
- 2019-03-29: Pinged thread to ask for update.
- 2019-04-19: Fix committed.
- 2019-04-23: Asked about release timeline, response "in the upcoming
months"
- 2019-05-28: Pinging again about release.
- 2019-06-24: Asked again, asked for CVE number assigned.  No update on
  timeline.
- 2019-08-22: Disclosure posted.

This vulnerability was discovered by David Tomaschik of the Google Security
Team.

-- 
David Tomaschik
Security Engineer
ISA Assessments

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#20">By Date</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="19"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#20">By Thread</a>
<a href="21"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2019-10071: Timing Attack in HMAC Verification in Apache	Tapestry</strong> <em>David Tomaschik via Fulldisclosure (Aug 25)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started