Problem/Motivation

Security advisory:
composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | firebase/php-jwt |
| CVE | CVE-2021-46743 |
| Title | Key/algorithm type confusion |
| URL | https://github.com/advisories/GHSA-8xf4-w7qw-pjjw |
| Affected versions | <6.0.0 |
| Reported at | 2022-03-30T00:00:00+00:00

where is jwt called:
html/modules/contrib/salesforce/modules/salesforce_jwt/composer.json: "firebase/php-jwt": "^5.0",
html/modules/contrib/salesforce/composer.json: "firebase/php-jwt": "^5.0",
html/modules/contrib/salesforce/composer.json: "firebase/php-jwt": "Required for salesforce_jwt, recommended auth provider.",

Steps to reproduce

composer audit

Proposed resolution

Update to a version of firebase/php-jwt > 6.0 or give explanation like http://drupal.org/project/jwt

Remaining tasks

User interface changes

API changes

Data model changes

Comments

SocialNicheGuru created an issue. See original summary.

  • AaronBauman committed f9d9fcd9 on 5.0.x 
    Support JWT-PHP 5 or 6, per discussion. Addresses issues #3343671 and #...
aaronbauman’s picture

aaronbauman
he/him
commented
Status: Active » Closed (works as designed)
Related issues:

Thank you for the report.
I discussed this with the security team, including pwolanin who confronted the same issue for https://www.drupal.org/project/jwt

tl;dr: the CVE for PHP-JWT does not affect Salesforce Suite

The vulnerability depends on using a keychain (multiple keys in an array or \ArrayAccess interface object) as the 2nd argument passed into JWT::decode(), and on having multiple algorithms passed in the array as the 3rd argument. In addition the keychain must have a mix of algorithm types such as both RS256 and HS256.

salesforce_jwt only calls JWT::encode($token, $key, 'RS256') and never JWT::decode() so it cannot possibly be vulnerable to the key confusion issue.

See more info on the https://www.drupal.org/project/jwt project page.

Also, in the future, please follow security issue reporting protocol to report any potential security vulnerabilities.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Note that version 5.x of firebase/jwt no longer seems supported, since the security vulnerability was addressed only in the 6.x branch of that project. However, it seems there's nothing preventing users of this module from updating to the 6.x branch. It's true that the composer.json file in the salesforce_jwt submodule lists 5.x as required, composer doesn't look at the composer.json files of submodules when resolving dependency requirements.

I think the Salesforce module should update to test and declare support of the 6.x branch of firebase/jwt, but from what I can tell that package's API is limited to one method call to encode a JWT. There don't appear to be any breaking changes from the 5.x > 6.x branch that would impact the way this module uses that API call.

inversed’s picture

inversed commented

Also, in case anyone did not realize, now that the roave/security-advisories package is aware of this, it blocks a composer update if the installed firebase/php-jwt package is 5.x.

I didn't have any problems manually requiring firebase/php-jwt:6.0 and it looks like the salesforce:5.0.x-dev version has an updated composer.json to support 5.0 or 6.0 so I figure this issue will get resolved eventually.