2087214 – (CVE-2022-22976) CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31

Bug 2087214 (CVE-2022-22976) - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31

Summary: CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-22976
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2087921
Blocks:	2087215
TreeView+	depends on / blocked

Reported:	2022-05-17 15:21 UTC by Sandipan Roy
Modified:	2023-06-19 10:13 UTC (History)
CC List:	80 users (show)
Fixed In Version:	spring-security 5.5.7, spring-security 5.6.4, spring-security 5.7.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.
Clone Of:
Environment:
Last Closed:	2022-07-07 20:39:18 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5532	0	None	None	None	2022-07-07 14:23:13 UTC
Red Hat Product Errata	RHSA-2023:3663	0	None	None	None	2023-06-19 10:13:00 UTC

Description Sandipan Roy 2022-05-17 15:21:34 UTC

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error.

The default settings are not affected by this CVE.

Only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical.

https://tanzu.vmware.com/security/cve-2022-22976

Comment 1 Patrick Del Bello 2022-05-18 14:38:02 UTC

Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 2087921]

Comment 3 errata-xmlrpc 2022-07-07 14:23:09 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 4 Product Security DevOps Team 2022-07-07 20:39:14 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22976

Comment 7 errata-xmlrpc 2023-06-19 10:12:56 UTC

This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
aboyko
aileenc
alazarot
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmoulliard
dandread
darran.lofthouse
dchen
dkreling
dosoudil
drieden
ellin
emingora
etirelli
extras-orphan
fjuma
ggaughan
gmalinko
gsmet
hamadhan
hbraun
ibek
ikanello
iweiss
janstey
java-sig-commits
jnethert
jochrist
jolee
jrokos
jross
jschatte
jstastny
jwon
krathod
kverlaen
lgao
lthon
mnovotny
mosmerov
msochure
msvehla
mszynkie
nwallace
pantinor
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
pskopek
puntogil
rareddy
rguimara
rrajasek
rruss
rstancel
rsvoboda
sbiarozk
scorneli
sdouglas
shbose
smaestri
sthorger
swoodman
tom.jenkinson
tzimanyi