CVE-2018-8023

Name of the Vulnerable Software and Affected Versions: Apache Mesos versions prior to 1.4.2 Apache Mesos versions 1.5.0 Apache Mesos versions 1.5.1 Apache Mesos versions 1.6.0

Description: The issue concerns the comparison of the generated HMAC value against the provided signature in the JSON Web Token (JWT) implementation. Specifically, a standard == operator is used instead of a constant-time string comparison routine, making it vulnerable to a timing attack. This allows a malicious actor to exploit the timing difference of when the JWT validation function returns to reveal the correct HMAC value.

Recommendations: For Apache Mesos versions prior to 1.4.2, update to version 1.4.2 or later. For Apache Mesos versions 1.5.0, update to a version that includes the fix for this issue. For Apache Mesos versions 1.5.1, update to a version that includes the fix for this issue. For Apache Mesos versions 1.6.0, update to a version that includes the fix for this issue.