Bug 2423194 (CVE-2024-29371)

Summary: CVE-2024-29371 jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrianik, anstephe, ant, aprice, aschwart, asoldano, aszczucz, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, bstansbe, caswilli, ccranfor, cescoffi, chfoley, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dlofthou, dosoudil, drichtar, drosa, dsimansk, eric.wittmann, ewittman, fmariani, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jmartisk, jpechane, jraez, jrokos, jsamir, kaycoth, kingland, kverlaen, lthon, manderse, matzew, mnovotny, mosmerov, mposolda, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, parichar, pberan, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rgodfrey, rguimara, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, ssilvert, sthorger, swoodman, tasato, tcunning, thjenkin, tom.jenkinson, tqvarnst, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2425745, 2425744    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-17 16:01:42 UTC
In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Comment 4 errata-xmlrpc 2026-05-04 23:37:22 UTC
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.2.0

Via RHSA-2026:13571 https://access.redhat.com/errata/RHSA-2026:13571

Comment 6 errata-xmlrpc 2026-06-30 00:11:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2026:33371 https://access.redhat.com/errata/RHSA-2026:33371

Comment 7 errata-xmlrpc 2026-07-02 00:03:17 UTC
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.4

Via RHSA-2026:34608 https://access.redhat.com/errata/RHSA-2026:34608