Can you explain this vulnerability to me?

This vulnerability exists in the Data Sharing Framework (DSF) prior to version 2.1.0. It involves incorrect time comparisons in caching mechanisms for OIDC JWKS and Metadata Document caches, as well as the OIDC token cache for FHIR client connections.

Specifically, the caches used an inverted time comparison (using isBefore instead of isAfter), which caused the JWKS and Metadata Document caches to never return cached values, forcing a fresh HTTP fetch on every request.

Additionally, the OIDC token cache never invalidated tokens because of the same inverted time comparison, causing every request to return the same OIDC token even if it was expired.

This flaw was fixed in version 2.1.0 of the DSF.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

Because the JWKS and Metadata Document caches never return cached values, every incoming request triggers a fresh HTTP fetch from the OIDC provider, which can lead to increased latency and higher load on the OIDC provider.

More critically, the OIDC token cache never invalidates expired tokens, meaning that expired tokens may be accepted and reused, potentially allowing unauthorized access or session continuation beyond intended expiration.

This can lead to security risks such as unauthorized access to protected resources or data, and performance degradation due to excessive network requests.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in version 2.1.0 of the Data Sharing Framework (DSF). To mitigate this vulnerability, you should upgrade your DSF installation to version 2.1.0 or later.

Useful 0 Not Useful 0