Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-51775

Опубликовано: 29 фев. 2024
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

A flaw was found in the jose.4.j (jose4j) library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a large number, it can cause high computational consumption, resulting in a denial of service.

Отчет

The vulnerability in the jose4j library, where the "p2c" parameter in PBKDF2-based JWE key management algorithms can be manipulated to induce high computational consumption, is classified as moderate severity due to its potential impact on service availability and resource exhaustion. By setting a large value for "p2c", an attacker can force the server to perform an excessive number of PBKDF2 iterations during key derivation. This results in increased CPU and memory usage, potentially leading to degraded performance or temporary denial of service.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Developer Tools and Servicesjenkins-2-pluginsNot affected
Red Hat build of Apache Camel for Spring Boot 3jose4jOut of support scope
Red Hat build of Apache Camel for Spring Boot 4jose4jNot affected
Red Hat build of Apache Camel - HawtIO 4jose4jAffected
Red Hat build of Debezium 2jose4jNot affected
Red Hat Build of Keycloakjose4jAffected
Red Hat build of Quarkusorg.bitbucket.b_c/jose4jAffected
Red Hat Data Grid 8jose4jNot affected
Red Hat Fuse 7jose4jWill not fix
Red Hat Integration Camel K 1jose4jWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=2266921jose4j: denial of service via specially crafted JWE

EPSS

Процентиль: 62%
0.00429
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-51775

CVSS3: 6.5
ubuntu
почти 2 года назад

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

nvd логотип

CVE-2023-51775

CVSS3: 6.5
nvd
почти 2 года назад

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

debian логотип

CVE-2023-51775

CVSS3: 6.5
debian
почти 2 года назад

The jose4j component before 0.9.4 for Java allows attackers to cause a ...

github логотип

GHSA-6qvw-249j-h44c

CVSS3: 6.5
github
почти 2 года назад

jose4j denial of service via specifically crafted JWE

fstec логотип

BDU:2024-01787

CVSS3: 6.5
fstec
около 2 лет назад

Уязвимость JWT-библиотеки Jose4j, связанная с неправильной реализацией алгоритма PBES2 при обработке параметра p2c, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 62%
0.00429
Низкий

7.5 High

CVSS3