Bug 2268820 (CVE-2024-28176)
| Summary: | CVE-2024-28176 jose: resource exhaustion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | ybuenos |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agarcial, amctagga, aoconnor, asatyam, asegurap, bdettelb, bniver, btarraso, caswilli, dhanak, diagrawa, dkenigsb, dsimansk, dymurray, eglynn, fdeutsch, fjansen, flucifre, gmeno, gparvin, hkataria, ibolton, jaharrin, jburrell, jcantril, jchui, jeder, jjoyce, jkoehler, jmatthew, jmontleo, joelsmith, jschluet, jshaughn, jwendell, kaycoth, kingland, kshier, ktsao, kverlaen, lbainbri, lgamliel, lhh, lsm5, lsvaty, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mrajanna, muagarwa, mwringe, nbecker, nboldt, njean, nobody, odf-bz-bot, oramraz, owatkins, pahickey, pgrist, pierdipi, rbobbitt, rcernich, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rtaniwa, sabiswas, sapillai, sdawley, shbose, sipoyare, slucidi, smullick, sostapov, sseago, stcannon, tkral, tnielsen, tsweeney, twalsh, vereddy, whayutin |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jose 2.0.7, jose 4.15.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Jose was found to have an uncontrolled resource consumption vulnerability. Under certain conditions, the user's environment can consume an unreasonable amount of CPU time or memory during JWE decryption operations, leading to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2268823, 2268824, 2268825, 2268826, 2268827, 2268828, 2268829, 2268830, 2268831, 2268832, 2268833, 2268834, 2268835, 2268836, 2268837, 2268838, 2268839, 2268840, 2268841, 2268842, 2268843, 2268844, 2268845, 2268847, 2268848, 2268849, 2268850, 2268851, 2268852, 2268857, 2268858, 2268860, 2268861, 2268862, 2268863, 2268864, 2268865, 2268866, 2268867, 2268868, 2268869, 2268906, 2268907, 2268908, 2299671, 2306539 | ||
| Bug Blocks: | 2268846 | ||
|
Description
ybuenos
2024-03-10 20:00:44 UTC
Created apptainer tracking bugs for this issue: Affects: epel-all [bug 2268823] Affects: fedora-all [bug 2268827] Created buildah tracking bugs for this issue: Affects: fedora-all [bug 2268828] Created caddy tracking bugs for this issue: Affects: epel-all [bug 2268824] Affects: fedora-all [bug 2268829] Created containerd tracking bugs for this issue: Affects: fedora-all [bug 2268830] Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268831] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: epel-all [bug 2268825] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268832] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268833] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268834] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268835] Created cri-o:1.26/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268836] Created cri-o:1.27/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268837] Created golang-github-acme-lego tracking bugs for this issue: Affects: fedora-all [bug 2268838] Created golang-github-in-toto tracking bugs for this issue: Affects: fedora-all [bug 2268839] Created golang-github-jose-3 tracking bugs for this issue: Affects: fedora-all [bug 2268840] Created golang-github-letsencrypt-pebble tracking bugs for this issue: Affects: fedora-all [bug 2268841] Created golang-gopkg-square-jose-2 tracking bugs for this issue: Affects: fedora-all [bug 2268842] Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2268843] Created jose tracking bugs for this issue: Affects: fedora-all [bug 2268852] Created moby-engine tracking bugs for this issue: Affects: fedora-all [bug 2268844] Created osbuild-composer tracking bugs for this issue: Affects: fedora-all [bug 2268845] Created podman tracking bugs for this issue: Affects: fedora-all [bug 2268847] Created podman-tui tracking bugs for this issue: Affects: fedora-all [bug 2268848] Created prometheus-podman-exporter tracking bugs for this issue: Affects: fedora-all [bug 2268849] Created singularity-ce tracking bugs for this issue: Affects: epel-all [bug 2268826] Affects: fedora-all [bug 2268850] Created skopeo tracking bugs for this issue: Affects: fedora-all [bug 2268851] @ybuenos I see a bunch of bzs filed against go-based packages which have go-jose in their go.mod files. But the github advisory page linked in description doesn't mention anything about go-jose. Is there any guidance available on how to handle go-jose, assuming go-jose is affected at all? The go-jose advisory is at https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3968 https://access.redhat.com/errata/RHSA-2024:3968 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:5094 https://access.redhat.com/errata/RHSA-2024:5094 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5294 https://access.redhat.com/errata/RHSA-2024:5294 This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755 This issue has been addressed in the following products: RHODF-4.17-RHEL-9 Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676 This issue has been solved in RHACM 2.10.1 with this public advisory https://access.redhat.com/errata/RHBA-2024:1793 This issue has been solved in RHACM 2.9.4 via this public advisory https://access.redhat.com/errata/RHBA-2024:3593 This issue has been solved in MCE 2.5.2 via this public advisory https://access.redhat.com/errata/RHBA-2024:1775 This issue has been solved in MCE 2.4.5 via this public advisory https://access.redhat.com/errata/RHBA-2024:3555 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9181 https://access.redhat.com/errata/RHSA-2024:9181 |