CVE-2023-51437: 
Java vulnerability analysis and mitigation

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider was discovered that affects Apache Pulsar through version 2.10.5, versions 2.11.0 through 2.11.2, versions 3.0.0 through 3.0.1, and version 3.1.0. The vulnerability was disclosed on February 7, 2024, and assigned CVE-2023-51437. The affected components include the Pulsar Broker, Proxy, Websocket Proxy, and Function Worker running the SASL Authentication Provider (Openwall Advisory).

The vulnerability is classified as CWE-203 (Observable Discrepancy) with a CVSS v3.1 base score of 7.4 (HIGH) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue allows an attacker to exploit timing differences in the SASL token signature verification process, potentially leading to the ability to forge SASL Role Tokens that would pass signature verification (NVD).

If successfully exploited, this vulnerability could allow an attacker to forge SASL Role Tokens that pass signature verification, potentially leading to unauthorized access to protected resources. The high CVSS score indicates significant potential impact on both confidentiality and integrity of the affected systems (NVD).

Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Additionally, users should consider updating the configured secret in the saslJaasServerRoleTokenSignerSecretPath file. Users running Pulsar 2.8, 2.9, 2.10, and earlier versions should upgrade to one of the patched versions (Openwall Advisory).