CVE-2021-22160 – This vulnerability in Apache Pulsar allows atta... (How to Fix)

Q: What is the severity of CVE-2021-22160?

CVE-2021-22160 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Apache Pulsar allows attackers to bypass JWT token authentication by using tokens with the 'none' algorithm, which are not properly validated. It affects any Apache Pulsar instance configured to use JWT-based authentication, potentially enabling unauthorized access as any user, including administrators. The issue stems from improper JWT signature validation, making it critical for organizations using Pulsar with JWT authentication.

📋 TL;DR

This vulnerability in Apache Pulsar allows attackers to bypass JWT token authentication by using tokens with the 'none' algorithm, which are not properly validated. It affects any Apache Pulsar instance configured to use JWT-based authentication, potentially enabling unauthorized access as any user, including administrators. The issue stems from improper JWT signature validation, making it critical for organizations using Pulsar with JWT authentication.

💻 Affected Systems

Products:

Apache Pulsar

Versions: Apache Pulsar versions 2.7.0 to 2.7.1

Operating Systems: All operating systems running Apache Pulsar

Default Config Vulnerable: ✅ No

Notes: Only affects configurations where JWT-based authentication is enabled; default configurations without JWT are not vulnerable.

📦 What is this software?

Pulsar by Apache

View all CVEs affecting Pulsar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrative access to the Pulsar cluster, allowing them to read, modify, or delete data, disrupt services, or escalate privileges across connected systems.

🟠

Likely Case

Unauthorized users impersonate legitimate users to access sensitive data or perform unauthorized operations within the Pulsar environment, leading to data breaches or service manipulation.

🟢

If Mitigated

If proper controls like network segmentation and strict access policies are in place, impact may be limited to isolated components, but authentication bypass still poses a significant risk.

🌐 Internet-Facing: HIGH, as internet-facing Pulsar instances with JWT authentication are directly exploitable by remote attackers without authentication, increasing the attack surface.

🏢 Internal Only: MEDIUM, as internal instances are less exposed but still vulnerable to insider threats or compromised internal systems, requiring immediate patching.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward as it involves crafting a JWT token with the 'none' algorithm, requiring no special tools or deep technical knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Pulsar 2.7.2

Vendor Advisory: https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e@%3Cusers.pulsar.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Apache Pulsar version 2.7.2 or later from the official Apache website. 2. Stop the Pulsar service. 3. Replace the existing installation with the new version. 4. Restart the Pulsar service and verify it is running correctly.

🔧 Temporary Workarounds

Disable JWT Authentication

all

Temporarily disable JWT-based authentication in Pulsar configuration to prevent exploitation until patching is possible.

Edit the Pulsar configuration file (e.g., broker.conf) and set 'authenticationEnabled=false' or remove JWT-specific settings.

Implement Network Access Controls

linux

Restrict network access to Pulsar instances to trusted IP addresses only, reducing exposure to potential attackers.

Use firewall rules (e.g., iptables on Linux: 'iptables -A INPUT -p tcp --dport 6650 -s trusted_ip -j ACCEPT' and 'iptables -A INPUT -p tcp --dport 6650 -j DROP') or similar on other platforms.

🧯 If You Can't Patch

Monitor logs for unusual authentication attempts or JWT tokens with 'none' algorithm and block suspicious IPs.
Enforce multi-factor authentication or additional security layers for Pulsar access to mitigate unauthorized entry.

🔍 How to Verify

Check if Vulnerable:

Check if JWT authentication is enabled in Pulsar configuration and verify the version is between 2.7.0 and 2.7.1; attempt to authenticate with a JWT token using 'none' algorithm to test bypass.

Check Version:

On the Pulsar server, run: 'pulsar-admin brokers version' or check the Pulsar binary with './bin/pulsar version'.

Verify Fix Applied:

After patching to version 2.7.2 or later, attempt to authenticate with a JWT token using 'none' algorithm; it should be rejected, and logs should show proper validation.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with JWT tokens, especially those mentioning 'none' algorithm or unexpected user impersonations in Pulsar logs.

Network Indicators:

Unusual traffic patterns to Pulsar ports (e.g., 6650, 8080) from untrusted sources, or spikes in authentication requests.

SIEM Query:

Example query for Splunk or similar: 'source="pulsar.log" ("JWT" AND "none") OR ("authentication failed" AND "token")' to detect exploitation attempts.

📊 Metadata

CVE ID: CVE-2021-22160

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-347

Published: May 26, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22160, you might also want to check these: