Ongres SCRAM Timing Attack Vulnerability in Java Implementation
Vulnerability
A timing attack vulnerability has been identified in the Ongres SCRAM (Salted Challenge Response Authentication Mechanism) Java implementation, in versions prior to 3.2. The vulnerability arises because 'Arrays.equals' was used to compare secret values, such as client proofs and server signatures. This method performs a short-circuit comparison, leading to variations in execution time based on how many leading bytes match. Consequently, an attacker could exploit this timing side-channel to infer sensitive authentication information. All users relying on SCRAM authentication are affected.
Impact
Exploitation of this vulnerability allows for a timing attack that could enable an attacker to infer sensitive authentication material by analyzing the time variations in secret value comparisons.
Remediation
Users should upgrade to Ongres SCRAM version 3.2 or later, which addresses the vulnerability by replacing 'Arrays.equals' with 'MessageDigest.isEqual' to ensure constant-time comparisons.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.