CVE-2022-39366 - Authentication Bypass in DataHub Metadata Service Due to Verification Issues in JWT Tokens

DataHub is a popular open-source metadata platform that's actively used by numerous organizations to manage their data catalogs. Recently, a significant vulnerability was discovered (CVE-2022-39366) that could allow an attacker to bypass authentication and gain access to DataHub instances with any user privileges when the Metadata Service authentication is enabled.

The issue was identified in prior versions (before .8.45) of DataHub, and the faulty component at play is the StatelessTokenService of the Metadata service (GMS). The vulnerability occurs because StatelessTokenService relies on the parse method of io.jsonwebtoken.JwtParser, which unfortunately does not perform any verification of the cryptographic token signature.

This post will cover the details of this vulnerability, explaining the root cause and providing some code snippets to help shed light on the issue. It will also include links to original references and exploit details, along with the recommended remediation steps.

The Vulnerability

The core of the issue lies in the StatelessTokenService component of the Metadata service. Upon handling a submitted JWT token, it utilizes the parse method from io.jsonwebtoken.JwtParser. This particular method does not perform any verification of the cryptographic token signature, leading to a situation where JWTs are accepted regardless of the used algorithm. As a result, an attacker can exploit this oversight to bypass authentication and connect to DataHub instances with unrestricted user access.

Here's a code snippet illustrating the problem

// Vulnerable code in StatelessTokenService.java
public Authentication getAuthenticatedUser(String token) {
  if (token != null) {
    final String subject = Jwts.parser().setSigningKey(secret.getBytes(StandardCharsets.UTF_8)).parseClaimsJws(token).getBody().getSubject();
    return new UsernamePasswordAuthenticationToken(subject, null, Collections.emptyList());
  }
  return null;
}

As you can see, the parseClaimsJws method in the Jwts.parser() instance does not include any signature verification logic.

Exploit Details

An attacker exploiting this vulnerability would be able to bypass the authentication process by crafting a JWT token with manipulated claims, allowing them access to DataHub instances as any user. This security issue could have severe consequences, as attackers could potentially access sensitive information or perform unauthorized actions.

Original References

For more information about the CVE-2022-39366 vulnerability, you can refer to the following official sources and references:

- CVE-2022-39366 - NVD Detail
- DataHub GitHub Repository
- DataHub Release v.8.45

Remediation

To address this vulnerability, DataHub developers have released a patch in version .8.45. This update includes a fix for the issue by adding proper signature verification to the StatelessTokenService. As there are no known workarounds, it's highly recommended to update your DataHub instance to version .8.45 or later to ensure the security and integrity of your metadata platform.

You can find the updated DataHub version and release notes here

- DataHub Release v.8.45

In conclusion, the discovery of CVE-2022-39366 highlights the importance of ensuring that all components of an application, including third-party libraries, are thoroughly reviewed for security implications. By promptly addressing this vulnerability, DataHub users can continue to leverage the platform's features with confidence, knowing that their metadata is safe and secure.

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/31/2022 17:48:00 UTC