CVE-2021-32753

Name of the Vulnerable Software and Affected Versions EdgeX Foundry versions Edinburgh through Hanoi

Description A vulnerability exists in EdgeX Foundry when the API gateway is configured for OAuth2 authentication and a proxy user is created. The client id and client secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can perform a dictionary-based password attack on the OAuth2 token endpoint of the API gateway to obtain an OAuth2 authentication token and use that token to make authenticated calls to EdgeX microservices from an untrusted network. OAuth2 is the default authentication method in EdgeX Edinburgh release, but was changed to JWT in Fuji and later releases.

Recommendations For EdgeX Foundry versions Edinburgh through Hanoi, upgrade to the EdgeX Ireland release to obtain the fix, as the OAuth2 authentication method is disabled in Ireland release. If unable to upgrade and OAuth2 authentication is required, create OAuth2 users directly using the Kong admin API and forgo the use of the security-proxy-setup tool to create OAuth2 users.