Login Sign Up

CVE-2023-51437

7.4 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to forge SASL Role Tokens that pass signature verification due to timing discrepancies in Apache Pulsar's authentication provider. Attackers could potentially gain unauthorized access to Pulsar clusters. All Apache Pulsar deployments using SASL Authentication Provider are affected.

💻 Affected Systems

Products:
  • Apache Pulsar Broker
  • Apache Pulsar Proxy
  • Apache Pulsar Websocket Proxy
  • Apache Pulsar Function Worker
Versions: All versions before 2.11.3, 3.0.2, and 3.1.1
Operating Systems: All operating systems running Apache Pulsar
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using SASL Authentication Provider with Role Token authentication

📦 What is this software?

Pulsar by Apache

View all CVEs affecting Pulsar →

Pulsar by Apache

View all CVEs affecting Pulsar →

Pulsar by Apache

View all CVEs affecting Pulsar →

Pulsar by Apache

View all CVEs affecting Pulsar →

Pulsar by Apache

View all CVEs affecting Pulsar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Pulsar cluster allowing unauthorized data access, message injection, and administrative control

🟠

Likely Case

Unauthorized access to Pulsar topics and functions, potentially leading to data exposure or service disruption

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but authentication bypass still possible

🌐 Internet-Facing: HIGH - Internet-facing Pulsar instances are directly exploitable by timing attacks
🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to Pulsar services

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Timing attacks require multiple authentication attempts and network proximity to measure response times accurately

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.3, 3.0.2, or 3.1.1

Vendor Advisory: https://lists.apache.org/thread/5kgmvvolf5tzp5rz9xjwfg2ncwvqqgl5

Restart Required: Yes

Instructions:

1. Stop Pulsar services. 2. Backup configuration and data. 3. Upgrade to patched version. 4. Update saslJaasServerRoleTokenSignerSecretPath secret. 5. Restart services.

🔧 Temporary Workarounds

Network isolation

linux

Restrict network access to Pulsar SASL authentication endpoints

iptables -A INPUT -p tcp --dport 6650 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 6650 -j DROP

Disable SASL authentication

all

Temporarily disable SASL authentication if alternative authentication methods are available

Set authenticationEnabled=false in broker.conf

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach Pulsar authentication endpoints
  • Enable detailed authentication logging and monitor for unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check Pulsar version and if SASL authentication is enabled in configuration files

Check Version:

pulsar-admin brokers version or check Pulsar startup logs

Verify Fix Applied:

Verify version is 2.11.3+, 3.0.2+, or 3.1.1+ and test SASL authentication functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed SASL authentication attempts from single source
  • Unusual timing patterns in authentication logs

Network Indicators:

  • High volume of authentication requests to Pulsar ports
  • Traffic patterns suggesting timing measurement

SIEM Query:

source="pulsar.log" AND ("authentication failed" OR "SASL") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-51437
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-203
Published: February 7, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51437, you might also want to check these:

CVE-2024-23771 9.8

This vulnerability in darkhttpd allows remote attackers to bypass authentication via timing side-cha...

Same vulnerability type (CWE-203)
CVE-2019-25337 9.8

CVE-2019-25337 is a username enumeration vulnerability in ownCloud that allows remote attackers to d...

Same vulnerability type (CWE-203)
CVE-2024-25714 9.8

CVE-2024-25714 is a critical timing side-channel vulnerability in Rhonabwy's HMAC signature verifica...

Same vulnerability type (CWE-203)