Bug 2087214 (CVE-2022-22976)

Summary: CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aboyko, aileenc, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dchen, dkreling, dosoudil, drieden, ellin, emingora, etirelli, extras-orphan, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, iweiss, janstey, java-sig-commits, jnethert, jochrist, jolee, jrokos, jross, jschatte, jstastny, jwon, krathod, kverlaen, lgao, lthon, mnovotny, mosmerov, msochure, msvehla, mszynkie, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, puntogil, rareddy, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, scorneli, sdouglas, shbose, smaestri, sthorger, swoodman, tom.jenkinson, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-security 5.5.7, spring-security 5.6.4, spring-security 5.7.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-07 20:39:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2087921    
Bug Blocks: 2087215    

Description Sandipan Roy 2022-05-17 15:21:34 UTC 
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error.

The default settings are not affected by this CVE.

Only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical.

https://tanzu.vmware.com/security/cve-2022-22976
Comment 1 Patrick Del Bello 2022-05-18 14:38:02 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 2087921]
Comment 3 errata-xmlrpc 2022-07-07 14:23:09 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 4 Product Security DevOps Team 2022-07-07 20:39:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22976
Comment 7 errata-xmlrpc 2023-06-19 10:12:56 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663