CVE-2023-46129
CVE Details
Visit the official vulnerability details page for CVE-2023-46129 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
github.com/nats-io/nats-server/v2
NIST CVE Summary
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
CVE Severity
Our Official Summary
This denial of service attack is reported on some third party containers used by the product. Risk of exploitation of this vulnerability for our products is low, since this requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.
Status
Ongoing
Affected Products & Versions
This CVE is non-impacting as the impacting symbol and/or function is not used in the product
Revision History
Date | Revision |
---|---|
12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11, 4.5.15 |
11/28/2024 | Official summary revised: This denial of service attack is reported on some third party containers used by the product. Risk of exploitation of this vulnerability for our products is low, since this requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available. |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11 |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.5.10 |
11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |