Remove a timing channel in Password matching

[fredfeng]

Hi,

I found a timing channel in Password.java:
https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java#L105

By using Arrays.equals, it actually violates the "constant-time-implementation" discipline.

For more information about timing attack:
https://codahale.com/a-lesson-in-timing-attacks/

[ebourg]

Is there a CVE ID assigned to this issue?

[fredfeng]

Not yet. Shall I create one?

[ebourg]

Ideally yes. A CVE ID raises the awareness of the security issue and allows downstream users like Linux distributions to notice it and quickly publish a fix.

[fredfeng]

Sure, I will do it later today and attach the CVE ID.

[carnil]

Downstream bug in Debian: https://bugs.debian.org/864898

[carnil]

This has been assigned CVE-2017-9735

[fredfeng]

Thanks!

[fredfeng]

But I got the following error message:
ERROR: Couldn't find 'CVE-2017-9735'