Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

2021-05-27 Thread Sijie Guo
For people who are following this thread, I want to make a clarification about this issue (and apologized for not making it clear at the beginning) This issue will ONLY happen to users who are using the JWT authentication provider. If you are using other authentication providers, you are NOT impac

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

2021-05-27 Thread Sijie Guo
Jonathan, Providing guides to Pulsar users on how to build a 2.6 image rather than promoting a vendor image is much better. - Sijie On Thu, May 27, 2021 at 12:40 PM Jonathan Ellis wrote: > Hi Sijie, > > Given the serious nature of this vulnerability, we thought it was best to > provide Apache

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

2021-05-27 Thread Jonathan Ellis
Hi Sijie, Given the serious nature of this vulnerability, we thought it was best to provide Apache Pulsar users with a 2.6 build as quickly as possible, in parallel with helping out on an official 2.6.4 release. On Thu, May 27, 2021 at 2:24 PM Sijie Guo wrote: > Chris - I don't think it is appr

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

2021-05-27 Thread Sijie Guo
Chris - I don't think it is appropriate to promote a vendor image here from a vendor perspective. A better approach is to point out the change has been cherry-picked to branch-2.6 and an ongoing discussion for getting a new bugfix release for branch 2.6. is out. - Sijie On Thu, May 27, 2021 at 1

Re: [SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

2021-05-27 Thread Chris Bartholomew
For folks on Pulsar 2.6 using token-based authentication, since there is no 2.6 version with the CVE fix yet available, you are welcome to use our Pulsar Docker images which contain the fix and which we have confirmed resolves the CVE: - datastax/pulsar:2.6.2_1.0.1

[SECURITY] [CVE-2021-22160] Authentication with JWT allows use of “none”-algorithm

2021-05-25 Thread PengHui Li
CVE-2021-22160 Apache Pulsar Information Disclosure Severity: High Versions Affected: Apache Pulsar < 2.7.1 Description: If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the present