CVE-2017-3156

cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

OAuth2 Hawk y JOSE MAC en Apache CXF en versiones anteriores a la 3.0.13 y en versiones 3.1.x anteriores a la 3.1.10 no emplean un algoritmo de comparación de firma MAC de tiempo constante, lo que podría ser explotado por ataques basados en tiempo sofisticados.

It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-12-05 CVE Reserved
2017-08-10 CVE Published
2023-03-07 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-385: Covert Timing Channel

CAPEC

References (11)

URL	Tag	Source
http://www.securityfocus.com/bid/96398	Third Party Advisory
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc	2023-11-07
https://access.redhat.com/errata/RHSA-2017:1832	2023-11-07
https://access.redhat.com/security/cve/CVE-2017-3156	2017-08-10
https://bugzilla.redhat.com/show_bug.cgi?id=1425455	2017-08-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				<= 3.0.12 Search vendor "Apache" for product "Cxf" and version " <= 3.0.12"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.0 Search vendor "Apache" for product "Cxf" and version "3.1.0"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.1 Search vendor "Apache" for product "Cxf" and version "3.1.1"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.2 Search vendor "Apache" for product "Cxf" and version "3.1.2"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.3 Search vendor "Apache" for product "Cxf" and version "3.1.3"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.4 Search vendor "Apache" for product "Cxf" and version "3.1.4"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.5 Search vendor "Apache" for product "Cxf" and version "3.1.5"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.6 Search vendor "Apache" for product "Cxf" and version "3.1.6"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.7 Search vendor "Apache" for product "Cxf" and version "3.1.7"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.8 Search vendor "Apache" for product "Cxf" and version "3.1.8"		-		Affected
Apache Search vendor "Apache"		Cxf Search vendor "Apache" for product "Cxf"				3.1.9 Search vendor "Apache" for product "Cxf" and version "3.1.9"		-		Affected