2246370 – (CVE-2023-31582) CVE-2023-31582 jose4j: Insecure iteration count setting

Bug 2246370 (CVE-2023-31582) - CVE-2023-31582 jose4j: Insecure iteration count setting

Summary: CVE-2023-31582 jose4j: Insecure iteration count setting

Keywords:
Status:	NEW
Alias:	CVE-2023-31582
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Sayan Biswas
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2246368
TreeView+	depends on / blocked

Reported:	2023-10-26 12:44 UTC by ybuenos
Modified:	2024-05-03 18:49 UTC (History)
CC List:	86 users (show)
Fixed In Version:	jose4j 0.9.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Jose4J which allows a malicious user or internal person to erroneously set a low iteration count of 1000 or less to secure the Json Web Token. This could apply to lack of entropy and leave the system less secure.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7676	None	None	None	2023-12-06 19:04:06 UTC
Red Hat Product Errata	RHSA-2023:7678	None	None	None	2023-12-06 23:31:04 UTC
Red Hat Product Errata	RHSA-2023:7700	None	None	None	2023-12-07 14:26:58 UTC

Description ybuenos 2023-10-26 12:44:51 UTC

jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.

https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then
https://github.com/KANIXB/JWTIssues/blob/main/jose4j%20issue.md

Comment 2 errata-xmlrpc 2023-12-06 19:04:02 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.6

Via RHSA-2023:7676 https://access.redhat.com/errata/RHSA-2023:7676

Comment 3 errata-xmlrpc 2023-12-06 23:31:00 UTC

This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678

Comment 4 errata-xmlrpc 2023-12-07 14:26:53 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700

Note You need to log in before you can comment on or make changes to this bug.

aileenc
anstephe
apjagtap
asatyam
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
ccranfor
cdewolf
chazlett
chfoley
clement.escoffier
cmiranda
dandread
darran.lofthouse
dfreiber
dhanak
diagrawa
dkreling
dosoudil
drichtar
dsimansk
eric.wittmann
fjuma
fmariani
gmalinko
gsmet
ibek
ivassile
iweiss
janstey
jburrell
jcechace
jmartisk
jpechane
jpoth
jrokos
jross
jscholz
kverlaen
lball
lgao
lthon
matzew
max.andersen
mnovotny
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
pantinor
pcongius
pdelbell
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
pskopek
rguimara
rhuss
rkieley
rogbas
rowaters
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
skontopo
smaestri
sthorger
swoodman
tcunning
tom.jenkinson
tqvarnst
vkumar
yfang