Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-677

Comparison in validate class is vulnerable to timing side channels

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3.0
    • 2.2.6, 2.3.1
    • WSS4J Core
    • None
    • JDK 1.8

    Description

      Hello,

      We recently noticed potential timing side channels in the implementation of password comparisons. The issue is in org.apache.wss4j.dom.validate package in UsernameTokenValidator class inside verifyDigestPassword() method where it uses Java string equal to compare given password against the stored one. This is a well-known issue first reported in the following articles:

      https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/

      https://github.com/eclipse/jetty.project/issues/1556

      Also, I am sending recent fixes for this type of vulnerable (Eclipse Jetty and OpenJDK crypto)

      https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java#L94

      http://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/26deba50fea8

      Please let us know if you have any questions,

      Best Regards,

      Saeid (saeid.tizpazniari@colorado.edu)

      Yannic (yannic.noller@acm.org)

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            tizpaz Saeid Tizpaz-Niari
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: