GHSA-2x4v-g8cx-jxrq: 
PHP vulnerability analysis and mitigation

A critical timing attack vulnerability was identified in Ibexa DXP's login system, tracked as GHSA-2x4v-g8cx-jxrq. The vulnerability affects ibexa/core versions 4.0.0 through 4.0.7 and 4.1.0 through 4.1.4. This security issue was discovered and responsibly disclosed by Christoph Rottermanner and Jonas Roller from it.sec, with the public disclosure occurring on May 31, 2022 (Ibexa Advisory, GitHub Advisory).

The vulnerability stems from an inadequate implementation of random execution time mechanisms intended to prevent timing attacks against user accounts. The system's attempt to hinder timing-based account enumeration was found to be insufficient in certain scenarios. This vulnerability is classified as CWE-208 and has been assigned a Critical severity rating (GitHub Advisory).

The vulnerability could allow attackers to discover whether specific user accounts exist in the system without knowing their passwords, potentially compromising user privacy and enabling targeted attacks (Ibexa Advisory).

The issue has been patched in versions 4.0.7 and 4.1.4 of ibexa/core. The fix implements constant time functionality, configured through a new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. The system will log a warning if the constant time is exceeded, in which case the setting should be increased (Ibexa Advisory).

The vulnerability was discovered by security researchers from it.sec, a consulting company founded in 1996 that specializes in information security, IT compliance & data protection, and IT forensics/discovery. Their responsible disclosure contributed to addressing this security concern before it could be widely exploited (Ibexa Advisory).