Bug 2246370 (CVE-2023-31582)

Summary: CVE-2023-31582 jose4j: Insecure iteration count setting
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, asatyam, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dfreiber, dhanak, diagrawa, dkreling, dosoudil, drichtar, dsimansk, eric.wittmann, fjuma, fmariani, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jburrell, jmartisk, jpechane, jpoth, jrokos, jscholz, kverlaen, lball, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pantinor, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkieley, rogbas, rowaters, rruss, rstancel, rsvoboda, sbiarozk, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jose4j 0.9.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jose4J which allows a malicious user or internal person to erroneously set a low iteration count of 1000 or less to secure the Json Web Token. This could apply to lack of entropy and leave the system less secure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2246368    

Description ybuenos 2023-10-26 12:44:51 UTC 
jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.

https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then
https://github.com/KANIXB/JWTIssues/blob/main/jose4j%20issue.md
Comment 2 errata-xmlrpc 2023-12-06 19:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.6

Via RHSA-2023:7676 https://access.redhat.com/errata/RHSA-2023:7676
Comment 3 errata-xmlrpc 2023-12-06 23:31:00 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
Comment 4 errata-xmlrpc 2023-12-07 14:26:53 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700