Bug 2268820 (CVE-2024-28176) - CVE-2024-28176 jose: resource exhaustion
Summary: CVE-2024-28176 jose: resource exhaustion
Keywords:
Status: NEW
Alias: CVE-2024-28176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2268852 2268860 2268864 2268866 2268906 2268907 2268823 2268824 2268825 2268826 2268827 2268828 2268829 2268830 2268831 2268832 2268833 2268834 2268835 2268836 2268837 2268838 2268839 2268840 2268841 2268842 2268843 2268844 2268845 2268847 2268848 2268849 2268850 2268851 2268857 2268858 2268861 2268862 2268863 2268865 2268867 2268868 2268869 2268908
Blocks: 2268846
TreeView+ depends on / blocked
 
Reported: 2024-03-10 20:00 UTC by ybuenos
Modified: 2024-06-11 19:41 UTC (History)
94 users (show)

Fixed In Version: jose 2.0.7, jose 4.15.5
Doc Type: If docs needed, set a value
Doc Text:
Jose was found to have an uncontrolled resource consumption vulnerability. Under certain conditions, the user's environment can consume an unreasonable amount of CPU time or memory during JWE decryption operations, leading to a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3826 0 None None None 2024-06-11 19:40:51 UTC
Red Hat Product Errata RHSA-2024:3827 0 None None None 2024-06-11 19:41:14 UTC

Description ybuenos 2024-03-10 20:00:44 UTC
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has 
 been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314
https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b
https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q

Comment 1 ybuenos 2024-03-10 20:07:44 UTC
Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2268823]
Affects: fedora-all [bug 2268827]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2268828]


Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2268824]
Affects: fedora-all [bug 2268829]


Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2268830]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268831]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2268825]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268832]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268833]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268834]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268835]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268836]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268837]


Created golang-github-acme-lego tracking bugs for this issue:

Affects: fedora-all [bug 2268838]


Created golang-github-in-toto tracking bugs for this issue:

Affects: fedora-all [bug 2268839]


Created golang-github-jose-3 tracking bugs for this issue:

Affects: fedora-all [bug 2268840]


Created golang-github-letsencrypt-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2268841]


Created golang-gopkg-square-jose-2 tracking bugs for this issue:

Affects: fedora-all [bug 2268842]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2268843]


Created jose tracking bugs for this issue:

Affects: fedora-all [bug 2268852]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2268844]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2268845]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2268847]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2268848]


Created prometheus-podman-exporter tracking bugs for this issue:

Affects: fedora-all [bug 2268849]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2268826]
Affects: fedora-all [bug 2268850]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2268851]

Comment 8 Lokesh Mandvekar 2024-03-11 10:03:28 UTC
@ybuenos I see a bunch of bzs filed against go-based packages which have go-jose in their go.mod files. But the github advisory page linked in description doesn't mention anything about go-jose. Is there any guidance available on how to handle go-jose, assuming go-jose is affected at all?

Comment 10 Lokesh Mandvekar 2024-03-12 09:55:56 UTC
The go-jose advisory is at https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g

Comment 20 errata-xmlrpc 2024-06-11 19:40:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826

Comment 21 errata-xmlrpc 2024-06-11 19:41:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827


Note You need to log in before you can comment on or make changes to this bug.