Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache mesos 1.5.0 |
||
apache mesos 1.5.1 |
||
apache mesos 1.6.0 |
||
apache mesos |