GMS-2022-1738: Login timing attack in ezsystems/ezpublish-kernel

June 2, 2022

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter ‘ibexa.security.authentication.constant_auth_time’. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

References

developers.ibexa.co/security-advisories/ibexa-sa-2022-006-vulnerabilities-in-page-builder-login-and-commerce
github.com/advisories/GHSA-xfqg-p48g-hh94
github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-xfqg-p48g-hh94

Code Behaviors & Features

Detect and mitigate GMS-2022-1738 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →