Bug 2268854 (CVE-2024-28180) - CVE-2024-28180 jose-go: improper handling of highly compressed data
Summary: CVE-2024-28180 jose-go: improper handling of highly compressed data
Keywords:
Status: NEW
Alias: CVE-2024-28180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2268872 2268873 2268876 2268877 2268878 2268879 2268880 2268881 2268882 2268883 2268884 2268885 2268886 2268887 2268888 2268889 2268890 2268891 2268892 2268893 2268898 2268899 2268901 2268902 2268903 2268904 2268911 2268912 2268913 2268914 2268915 2268917 2276638 2276656 2276658 2268871 2268874 2268875 2268894 2268895 2268896 2268897 2268905 2268909 2268910 2268916 2268918 2269205 2276653 2276654 2276655 2276657
Blocks: 2268846
TreeView+ depends on / blocked
 
Reported: 2024-03-10 20:20 UTC by ybuenos
Modified: 2024-06-11 19:41 UTC (History)
107 users (show)

Fixed In Version: go-jose 4.0.1, go-jose 3.0.3, go-jose 2.6.3
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Jose due to improper handling of highly compressed data. This issue could allow an attacker to send a JWE containing compressed data that uses large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1661 0 None None None 2024-04-03 10:23:33 UTC
Red Hat Product Errata RHBA-2024:2860 0 None None None 2024-05-15 21:21:18 UTC
Red Hat Product Errata RHSA-2024:1456 0 None None None 2024-03-27 00:41:42 UTC
Red Hat Product Errata RHSA-2024:1563 0 None None None 2024-04-02 21:38:09 UTC
Red Hat Product Errata RHSA-2024:1567 0 None None None 2024-04-03 16:00:25 UTC
Red Hat Product Errata RHSA-2024:1574 0 None None None 2024-04-03 07:36:38 UTC
Red Hat Product Errata RHSA-2024:1812 0 None None None 2024-04-15 05:44:41 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:34 UTC
Red Hat Product Errata RHSA-2024:2049 0 None None None 2024-05-02 16:56:16 UTC
Red Hat Product Errata RHSA-2024:2054 0 None None None 2024-05-02 15:47:00 UTC
Red Hat Product Errata RHSA-2024:2071 0 None None None 2024-05-02 14:47:10 UTC
Red Hat Product Errata RHSA-2024:2639 0 None None None 2024-05-01 02:44:46 UTC
Red Hat Product Errata RHSA-2024:2669 0 None None None 2024-05-09 14:12:02 UTC
Red Hat Product Errata RHSA-2024:2672 0 None None None 2024-05-09 17:13:48 UTC
Red Hat Product Errata RHSA-2024:2773 0 None None None 2024-05-15 18:44:12 UTC
Red Hat Product Errata RHSA-2024:2776 0 None None None 2024-05-15 19:00:59 UTC
Red Hat Product Errata RHSA-2024:2784 0 None None None 2024-05-16 18:31:15 UTC
Red Hat Product Errata RHSA-2024:2865 0 None None None 2024-05-21 09:37:56 UTC
Red Hat Product Errata RHSA-2024:2869 0 None None None 2024-05-23 08:24:57 UTC
Red Hat Product Errata RHSA-2024:2875 0 None None None 2024-05-23 18:11:12 UTC
Red Hat Product Errata RHSA-2024:2877 0 None None None 2024-05-23 18:41:58 UTC
Red Hat Product Errata RHSA-2024:3254 0 None None None 2024-05-22 11:38:26 UTC
Red Hat Product Errata RHSA-2024:3327 0 None None None 2024-05-29 15:42:06 UTC
Red Hat Product Errata RHSA-2024:3349 0 None None None 2024-05-30 03:55:31 UTC
Red Hat Product Errata RHSA-2024:3351 0 None None None 2024-05-30 04:11:47 UTC
Red Hat Product Errata RHSA-2024:3523 0 None None None 2024-06-10 16:09:00 UTC
Red Hat Product Errata RHSA-2024:3826 0 None None None 2024-06-11 19:40:55 UTC
Red Hat Product Errata RHSA-2024:3827 0 None None None 2024-06-11 19:41:21 UTC

Description ybuenos 2024-03-10 20:20:23 UTC
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g

Comment 1 ybuenos 2024-03-10 20:57:32 UTC
Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2268871]
Affects: fedora-all [bug 2268875]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2268876]


Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2268872]
Affects: fedora-all [bug 2268877]


Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2268878]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268879]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2268873]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268880]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268881]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268882]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268883]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268884]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268885]


Created golang-github-acme-lego tracking bugs for this issue:

Affects: fedora-all [bug 2268886]


Created golang-github-in-toto tracking bugs for this issue:

Affects: fedora-all [bug 2268887]


Created golang-github-jose-3 tracking bugs for this issue:

Affects: fedora-all [bug 2268888]


Created golang-github-letsencrypt-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2268889]


Created golang-gopkg-square-jose-2 tracking bugs for this issue:

Affects: fedora-all [bug 2268890]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2268891]


Created jose tracking bugs for this issue:

Affects: fedora-all [bug 2268899]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2268892]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2268893]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2268894]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2268895]


Created prometheus-podman-exporter tracking bugs for this issue:

Affects: fedora-all [bug 2268896]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2268874]
Affects: fedora-all [bug 2268897]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2268898]

Comment 12 errata-xmlrpc 2024-03-27 00:41:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:1456 https://access.redhat.com/errata/RHSA-2024:1456

Comment 13 errata-xmlrpc 2024-04-02 21:38:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1563 https://access.redhat.com/errata/RHSA-2024:1563

Comment 14 errata-xmlrpc 2024-04-03 07:36:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1574 https://access.redhat.com/errata/RHSA-2024:1574

Comment 15 errata-xmlrpc 2024-04-03 16:00:19 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1567 https://access.redhat.com/errata/RHSA-2024:1567

Comment 16 errata-xmlrpc 2024-04-15 05:44:36 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812

Comment 17 errata-xmlrpc 2024-04-16 17:26:27 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859

Comment 28 errata-xmlrpc 2024-05-01 02:44:38 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:2639 https://access.redhat.com/errata/RHSA-2024:2639

Comment 29 errata-xmlrpc 2024-05-02 14:47:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2071 https://access.redhat.com/errata/RHSA-2024:2071

Comment 30 errata-xmlrpc 2024-05-02 15:46:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2054 https://access.redhat.com/errata/RHSA-2024:2054

Comment 31 errata-xmlrpc 2024-05-02 16:56:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2049 https://access.redhat.com/errata/RHSA-2024:2049

Comment 34 errata-xmlrpc 2024-05-09 14:11:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2669 https://access.redhat.com/errata/RHSA-2024:2669

Comment 35 errata-xmlrpc 2024-05-09 17:13:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672

Comment 36 errata-xmlrpc 2024-05-15 18:44:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773

Comment 37 errata-xmlrpc 2024-05-15 19:00:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2776 https://access.redhat.com/errata/RHSA-2024:2776

Comment 38 errata-xmlrpc 2024-05-16 18:31:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2784 https://access.redhat.com/errata/RHSA-2024:2784

Comment 39 errata-xmlrpc 2024-05-21 09:37:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2865 https://access.redhat.com/errata/RHSA-2024:2865

Comment 40 errata-xmlrpc 2024-05-22 11:38:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3254 https://access.redhat.com/errata/RHSA-2024:3254

Comment 41 errata-xmlrpc 2024-05-23 08:24:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2869 https://access.redhat.com/errata/RHSA-2024:2869

Comment 42 errata-xmlrpc 2024-05-23 18:11:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2875 https://access.redhat.com/errata/RHSA-2024:2875

Comment 43 errata-xmlrpc 2024-05-23 18:41:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2877 https://access.redhat.com/errata/RHSA-2024:2877

Comment 44 errata-xmlrpc 2024-05-29 15:41:58 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:3327 https://access.redhat.com/errata/RHSA-2024:3327

Comment 45 errata-xmlrpc 2024-05-30 03:55:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3349 https://access.redhat.com/errata/RHSA-2024:3349

Comment 46 errata-xmlrpc 2024-05-30 04:11:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3351 https://access.redhat.com/errata/RHSA-2024:3351

Comment 49 errata-xmlrpc 2024-06-10 16:08:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:3523 https://access.redhat.com/errata/RHSA-2024:3523

Comment 50 errata-xmlrpc 2024-06-11 19:40:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826

Comment 51 errata-xmlrpc 2024-06-11 19:41:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827


Note You need to log in before you can comment on or make changes to this bug.