Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tcTZmLTV4aDUtaGdjZs4AA2X3
Harbor timing attack risk
In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks. The vulnerability occurs due to the following code: https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69
To avoid this issue, constant time comparison should be used.
subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0
Impact
This attack might be possible theoretically, but no workable proof of concept is available, and access complexity is set at High.
The jobservice exposes these APIs
Create a job task --- POST /api/v1/jobs
Get job task information --- GET /api/v1/jobs/{job_id}
Stop job task --- POST /api/v1/jobs/{job_id}
Get job log task --- GET /api/v1/jobs/{job_id}/log
Get job execution --- GET /api/v1/jobs/{job_id}/executions
Get job stats --- GET /api/v1/stats
Get job service configuration --- GET /api/v1/config
It is used to create jobs/stop job tasks and retrieve job task information. If an attacker obtains the secrets, it is possible to retrieve the job information, create a job, or stop a job task.
The following versions of Harbor are involved:
<=Harbor 2.8.2, <=Harbor 2.7.2, <= Harbor 2.6.x, <=Harbor 1.10.17
Patches
Harbor 2.8.3, Harbor 2.7.3, Harbor 1.10.18
Workarounds
Because the jobservice only exposes HTTP service to harbor-core containers, blocking any inbound traffic from the external network to the jobservice container can reduce the risk.
Credits
Thanks to Porcupiney Hairs for reporting this issue.
Permalink: https://github.com/advisories/GHSA-mq6f-5xh5-hgcfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcTZmLTV4aDUtaGdjZs4AA2X3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 5 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-mq6f-5xh5-hgcf, CVE-2023-20902
References:
- https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf
- https://github.com/goharbor/harbor/blob/aaea068cceb4063ab89313d9785f2b40f35b0d63/src/jobservice/api/authenticator.go#L69-L69
- https://github.com/goharbor/harbor/releases/tag/v1.10.18
- https://github.com/goharbor/harbor/releases/tag/v2.7.3
- https://github.com/goharbor/harbor/releases/tag/v2.8.3
- https://nvd.nist.gov/vuln/detail/CVE-2023-20902
- https://github.com/advisories/GHSA-mq6f-5xh5-hgcf
Blast Radius: 3.6
Affected Packages
go:github.com/goharbor/harbor
Dependent packages: 0Dependent repositories: 4
Downloads:
Affected Version Ranges: >= 2.8.0, < 2.8.3, >= 2.0.0, < 2.7.3, < 1.10.18
Fixed in: 2.8.3, 2.7.3, 1.10.18
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 1.10.16, 1.10.17, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.8.2
All unaffected versions: 1.10.18, 2.7.3, 2.7.4, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.10.0, 2.10.1, 2.10.2