Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web Token (JWT). In Apache Mesos versions pre-1.4.2, 1.5.0, 1.5.1, 1.6.0 the comparison of the generated HMAC value against the provided signature in the JWT implementation used is vulnerable to a timing attack because instead of a constant-time string comparison routine a standard `==` operator has been used. A malicious actor can therefore abuse the timing difference of when the JWT validation function returns to reveal the correct HMAC value.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.mesos:mesos(Maven) | 0 | 1.4.2 | N/A |
| org.apache.mesos:mesos(Maven) | 1.5.0 | 1.5.2 | N/A |
| org.apache.mesos:mesos(Maven) | 1.6.0 | 1.6.1 | N/A |
CVSS Metrics
