The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a DOS attack
Created python-jwcrypto tracking bugs for this issue: Affects: fedora-38 [bug 2263861] Affects: fedora-39 [bug 2263862]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3267 https://access.redhat.com/errata/RHSA-2024:3267
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9281 https://access.redhat.com/errata/RHSA-2024:9281