中危 jose_project jose 未加控制的资源消耗(资源穷尽)
CVE编号
CVE-2022-36083利用情况
暂无补丁情况
官方补丁披露时间
2022-09-08漏洞描述
JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | jose_project | jose | * | From (including) 1.0.0 | Up to (excluding) 1.28.2 | ||||
| 运行在以下环境 | |||||||||
| 应用 | jose_project | jose | * | From (including) 2.0.0 | Up to (excluding) 2.0.6 | ||||
| 运行在以下环境 | |||||||||
| 应用 | jose_project | jose | * | From (including) 3.0.0 | Up to (excluding) 3.20.4 | ||||
| 运行在以下环境 | |||||||||
| 应用 | jose_project | jose | * | From (including) 4.0.0 | Up to (excluding) 4.9.2 | ||||
| 运行在以下环境 | |||||||||
| 系统 | debian_12 | node-jose | * | Up to (excluding) 4.9.2-1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_sid | node-jose | * | Up to (excluding) 4.9.2-1 | |||||
- 攻击路径 本地
- 攻击复杂度 困难
- 权限要求 普通权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 N/A
- 服务器危害 无影响
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-400 | 未加控制的资源消耗(资源穷尽) |
| CWE-834 | 过度迭代 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论