Описание
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
A flaw was found in the Jose package, where a large number of iterations used to derive the wrapping key for the PBKDF2 algorithm may lead to a denial of service. This flaw allows an attacker to set a large number of `PBKDF2' iterations, triggering an uncontrolled resource consumption that impacts the availability of the targeted application.
Отчет
The JWE key management algorithms use a JOSE Header Parameter called p2c (PBES2 Count), which controls the PBKDF2 iterations to derive a CEK wrapping key. If an attacker sets p2c too high, it can lead to excessive computational use and a potential denial of service attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Will not fix | ||
| Multicluster Engine for Kubernetes | multicluster-engine/multicluster-engine-console-mce-rhel9 | Will not fix | ||
| OpenShift Serverless | jose | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel8 | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Affected | ||
| Red Hat Enterprise Linux 10 | jose | Not affected | ||
| Red Hat Enterprise Linux 7 | jose | Out of support scope | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-dashboard-rhel8 | Not affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-operator-rhel8 | Not affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-rhel8-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
latchset jose through version 11 allows attackers to cause a denial of ...
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
Уязвимость модуля языка С для подписи и шифрования объектов JSON latchset Jose, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3