<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Oxia - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/oxia/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/oxia/feed.xml" rel="self" type="application/rss+xml"/><item><title>Oxia TLS Certificate Chain Validation Failure</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-oxia-tls-failure/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-oxia-tls-failure/</guid><description>Oxia's `trustedCertPool()` function fails to parse multi-certificate PEM bundles, leading to certificate chain validation failure and rejection of legitimate clients in mTLS deployments.</description><content:encoded><![CDATA[<p>The Oxia database platform, specifically versions 0.16.1 and earlier, contains a vulnerability in its TLS configuration parsing. The <code>trustedCertPool()</code> function within the <code>common/security/tls.go</code> file is designed to load trusted Certificate Authority (CA) certificates for mTLS authentication. However, the function only processes the first PEM-encoded certificate block within a specified CA file. This means that if a CA file contains a bundle of certificates, such as an intermediate CA and a root CA, only the first certificate is loaded and the rest are silently discarded. This issue was reported on GitHub as GHSA-7jrq-q4pq-rhm6 and can lead to a significant degradation of security posture.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An administrator configures Oxia to use mTLS for client authentication, specifying a CA bundle file containing both intermediate and root CA certificates via the <code>trustedCaFile</code> setting.</li>
<li>Oxia's <code>trustedCertPool()</code> function attempts to load the CA certificates from the specified file.</li>
<li>The <code>pem.Decode()</code> function is called, but it only parses the first PEM block (e.g., the intermediate CA certificate).</li>
<li>Subsequent certificates within the CA bundle (e.g., the root CA certificate) are silently ignored because the code doesn't iterate over all PEM blocks.</li>
<li>A legitimate client attempts to connect to Oxia using a certificate chain that is correctly signed by the intermediate CA, which is in turn signed by the root CA.</li>
<li>Oxia only trusts the intermediate CA certificate that was loaded.</li>
<li>Certificate chain validation fails because the root CA is not trusted, resulting in the error &quot;x509: certificate signed by unknown authority&quot;.</li>
<li>The legitimate client connection is rejected, effectively breaking mTLS authentication.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability results in the failure of certificate chain validation in mTLS deployments of Oxia. This means that legitimate clients with properly chained certificates are rejected, leading to a denial of service. Operators might be forced to disable client certificate verification, which severely weakens the security posture of Oxia deployments. All Oxia versions up to and including 0.16.1 are vulnerable if TLS with the <code>trustedCaFile</code> configuration is used.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided by Oxia that iterates over all PEM blocks in the CA file (reference: GHSA-7jrq-q4pq-rhm6).</li>
<li>As a temporary workaround, use CA files containing only a single certificate (the direct issuer of client certificates) for the <code>trustedCaFile</code> configuration (reference: GHSA-7jrq-q4pq-rhm6).</li>
<li>Monitor Oxia server logs for &quot;x509: certificate signed by unknown authority&quot; errors after configuring mTLS, which may indicate this vulnerability is being triggered.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>tls</category><category>mtls</category><category>certificate-validation</category><category>oxia</category><category>vulnerability</category></item><item><title>Oxia Server Crash via Session Heartbeat Race Condition</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-oxia-dos/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-oxia-dos/</guid><description>A race condition in Oxia's session heartbeat handling allows a remote client to trigger a denial-of-service by sending rapid KeepAlive requests during session expiration or closure, leading to a server crash.</description><content:encoded><![CDATA[<p>A denial-of-service vulnerability exists in Oxia, an open-source distributed database, due to a race condition in the session heartbeat handling mechanism. This vulnerability can be exploited by a remote client to crash the Oxia data server process. The root cause lies in the interaction between the <code>heartbeat()</code> method in <code>session.go</code> and the <code>KeepAlive()</code> function in <code>session_manager.go</code>. Specifically, a time-of-check-to-time-of-use (TOCTOU) gap occurs when <code>KeepAlive()</code> releases the session manager's read lock before calling <code>heartbeat()</code>, allowing the session to be closed concurrently. All Oxia versions up to and including 0.16.1 are affected. Defenders should prioritize implementing detection mechanisms to identify potentially malicious <code>KeepAlive</code> patterns and plan for upgrading to patched versions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A client establishes a session with the Oxia data server.</li>
<li>The client sends regular <code>KeepAlive</code> requests to the server to maintain the session.</li>
<li>The server's <code>KeepAlive()</code> function receives the request and releases the session manager's read lock.</li>
<li>Before <code>heartbeat()</code> is called, the session expires or is closed due to other factors.</li>
<li>The <code>heartbeat()</code> method attempts to send a signal on the closed <code>heartbeatCh</code> channel.</li>
<li>Due to the race condition between session closure and the <code>heartbeat()</code> call, the server panics.</li>
<li>The Oxia data server process crashes, leading to a denial-of-service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in a complete denial-of-service. The Oxia data server process crashes, interrupting all data services relying on that server. The number of affected systems depends on the scale of Oxia deployment. Organizations utilizing Oxia versions up to and including 0.16.1 are vulnerable. The impact can range from service disruption to data unavailability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to a patched version of Oxia that includes the fixes for the heartbeat handling race condition.</li>
<li>Implement rate limiting on incoming <code>KeepAlive</code> requests to mitigate the impact of rapid requests (refer to network_connection log source).</li>
<li>Deploy the provided Sigma rule to detect anomalous patterns of <code>KeepAlive</code> requests (see the Sigma rule targeting webserver logs).</li>
<li>Monitor webserver logs for unusual spikes in <code>KeepAlive</code> requests (refer to webserver log source).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>race-condition</category><category>oxia</category></item><item><title>Oxia Bearer Token Exposure in Debug Logs</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-oxia-token-leak/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-oxia-token-leak/</guid><description>Oxia exposes the full bearer token, including JWT header, payload, and signature, in debug log messages when OIDC authentication fails, allowing attackers with log access to replay the tokens.</description><content:encoded><![CDATA[<p>Oxia, a distributed database, is vulnerable to exposing sensitive bearer tokens in its debug logs. Specifically, when OpenID Connect (OIDC) authentication fails, the complete JWT, including header, payload, and signature, is logged in plaintext at the DEBUG level. This occurs in versions 0.16.1 and earlier. If debug logging is enabled in production environments, these tokens are written to application logs and potentially any connected log aggregation systems. An attacker gaining access to these logs could then extract valid JWT tokens and use them to impersonate legitimate users. The vulnerability stems from the <code>validateTokenWithContext()</code> function within <code>oxiad/common/rpc/auth/interceptor.go</code>. Defenders should ensure that debug logging is disabled in production or implement detections to identify potential token leakage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user attempts to authenticate to an Oxia service using OIDC.</li>
<li>The <code>validateTokenWithContext()</code> function in <code>oxiad/common/rpc/auth/interceptor.go</code> is invoked to validate the provided JWT token.</li>
<li>If the token validation fails, the complete token is logged at DEBUG level using <code>slog.String(&quot;token&quot;, token)</code>.</li>
<li>The debug logs containing the full bearer token are written to the application log files.</li>
<li>An attacker gains unauthorized access to the application log files or the connected log aggregation system.</li>
<li>The attacker extracts valid JWT tokens from the compromised logs.</li>
<li>The attacker replays the extracted JWT token to authenticate as a legitimate user.</li>
<li>The attacker gains unauthorized access to Oxia resources and data, performing actions as the compromised user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The exposure of bearer tokens can lead to unauthorized access to Oxia resources. An attacker with access to application logs can extract valid JWT tokens and impersonate legitimate users. The impact depends on the privileges associated with the compromised user account. This vulnerability affects all Oxia deployments using OIDC authentication with debug logging enabled in production, potentially impacting a large number of users and sensitive data stored within the database.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure DEBUG-level logging is never enabled in production environments as a primary mitigation step (<a href="#workarounds">Workarounds</a>).</li>
<li>Deploy the Sigma rule to detect instances of failed authentication attempts where the full bearer token is logged, and investigate immediately ([Sigma rule: Detect Oxia Token Leak in Logs]).</li>
<li>Upgrade to a patched version of Oxia that redacts the token in log output, preserving only the last 8 characters.</li>
<li>Review and harden access controls for application logs and log aggregation systems to prevent unauthorized access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>oxia</category><category>jwt</category><category>token leakage</category><category>credential access</category></item></channel></rss>