CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Description

Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

Affected Versions

Apache Tapestry 5.3.6 through current releases.

Mitigation

No new release of Tapestry has occurred since the issue was reported. Affected organizations may want to consider locally applying commit d3928ad44714b949d247af2652c84dae3c27e1b1.

Timeline

2019-03-12: Issue discovered.
2019-03-13: Issue reported to security@apache.org.
2019-03-29: Pinged thread to ask for update.
2019-04-19: Fix committed.
2019-04-23: Asked about release timeline, response “in the upcoming months”
2019-05-28: Pinging again about release.
2019-06-24: Asked again, asked for CVE number assigned. No update on timeline.
2019-08-22: Disclosure posted.

Credit

This vulnerability was discovered by David Tomaschik of the Google Security Team.

Tags: Research, Advisories, Security, Vulnerability Research, CVE

System Overlord

A blog about security engineering, research, and general hacking.

CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Description

Affected Versions

Mitigation

Timeline

Credit

Description

Affected Versions

Mitigation

Timeline

Credit

Related Posts