CVE-2018-8023
Description
Apache Mesos JWT authentication in the Executor HTTP API uses a non-constant-time comparison, making HMAC secrets vulnerable to timing side-channel attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Mesos JWT authentication in the Executor HTTP API uses a non-constant-time comparison, making HMAC secrets vulnerable to timing side-channel attacks.
Vulnerability
In Apache Mesos versions prior to 1.4.2, as well as versions 1.5.0, 1.5.1, and 1.6.0, the Executor HTTP API can be configured to require JSON Web Token (JWT) authentication. The JWT implementation uses a standard == operator to compare the generated HMAC value against the provided signature, instead of a constant-time string comparison routine [1][2]. This flaw allows an attacker to exploit timing differences in the validation function's return time to infer the correct HMAC secret key.
Exploitation
An attacker must have network access to an Apache Mesos endpoint that enforces JWT authentication for the Executor HTTP API. No additional authentication is required to initiate the attack. The attacker sends crafted JWT tokens to the endpoint and measures the response time of the validation function. By repeatedly sending tokens with varying signatures and observing the timing variations, the attacker can iteratively determine the correct HMAC value byte by byte [1]. The attack is computationally feasible but requires many requests and precise timing measurements.
Impact
If successful, the attacker learns the HMAC secret key used to sign JWTs. With this key, the attacker can forge arbitrary valid JWTs and gain unauthorized access to the Executor HTTP API. This could lead to full compromise of Mesos agent tasks, including the ability to execute arbitrary commands, read sensitive data, or disrupt cluster operations. The impact is limited by the requirement that the Mesos cluster must be configured to use JWT authentication for the Executor API [1][2].
Mitigation
The issue is fixed in Apache Mesos versions 1.4.2, 1.5.2, and 1.6.1 [2]. Users should upgrade immediately to the appropriate patched version. As a workaround, administrators can disable JWT authentication for the Executor HTTP API or switch to an alternative authentication method such as HTTP Basic or SPNEGO. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.mesos:mesosMaven | < 1.4.2 | 1.4.2 |
org.apache.mesos:mesosMaven | >= 1.5.0, < 1.5.2 | 1.5.2 |
org.apache.mesos:mesosMaven | >= 1.6.0, < 1.6.1 | 1.6.1 |
Affected products
2- Apache Software Foundation/Apache Mesosv5Range: versions prior to 1.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-c8cc-p3j7-4c7fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8023ghsaADVISORY
- lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3%40%3Cdev.mesos.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/9b9d3f6bd09f3ebd2284b82077033bdc71da550a1c4c010c2494acc3@%3Cdev.mesos.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@%3Cuser.flink.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.