Bug 2260843 (CVE-2023-6681)

Summary: CVE-2023-6681 JWCrypto: denail of service Via specifically crafted JWE
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: davidn, epacific, jcammara, jhardy, jneedle, jobarker, mabashia, osapryki, security-response-team, simaishi, smcdonal, teagle, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: jwcrypto 1.5.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2263862, 2263861    
Bug Blocks: 2260847    

Description Rohit Keshri 2024-01-29 11:11:13 UTC
The JWE key management algorithms based on PBKDF2 require a JOSE Header
Parameter called p2c (PBES2 Count). This parameter dictates the number of
PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose
is to intentionally slow down the key derivation function, making password
brute-force and dictionary attacks more resource- intensive.

Therefore, if an attacker sets the p2c parameter in JWE to a very large
number, it can cause a lot of computational consumption, resulting in a DOS

Comment 3 Guilherme de Almeida Suckevicz 2024-02-12 13:20:28 UTC
Created python-jwcrypto tracking bugs for this issue:

Affects: fedora-38 [bug 2263861]
Affects: fedora-39 [bug 2263862]

Comment 4 errata-xmlrpc 2024-05-22 11:40:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3267 https://access.redhat.com/errata/RHSA-2024:3267