Data Sharing Framework OIDC Cache Logic Vulnerability
Vulnerability
A vulnerability exists in the Data Sharing Framework (DSF) versions prior to 2.1.0, specifically within the OIDC JWKS and Metadata Document cache mechanisms. The issue arises from an incorrect time comparison that prevents the caches from functioning properly. As a result, the OIDC Metadata Document and JWKS keys are fetched anew with each incoming request, rather than utilizing cached values. Additionally, the OIDC token cache for FHIR client connections fails to invalidate expired tokens, causing requests to return outdated tokens instead.
Impact
This vulnerability leads to performance degradation by increasing network latency with unnecessary round-trips to the OIDC provider. It also causes reliability issues, as cached OIDC tokens can become unusable after expiration, with no way to refresh them until the BPE server is restarted. During any OIDC provider downtime, requests would fail instead of using cached data. Furthermore, the added load on the OIDC provider could trigger rate limiting.
Remediation
Users can update to version 2.1.0, where this vulnerability is fixed. Instructions for updating can be found in the DSF documentation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.