CVE-2022-36083 : Security Advisory and Response
Learn about the CVE-2022-36083 where JOSE, a JSON Web library, is vulnerable to resource exhaustion through a specifically crafted JWE. Understand the impact, affected versions, exploitation, and mitigation steps.
JOSE, which stands for "JSON Web Almost Everything," is vulnerable to resource exhaustion through a specifically crafted JWE. This vulnerability impacts users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties.
Understanding CVE-2022-36083
This section provides insights into the vulnerability found in JOSE.
What is CVE-2022-36083?
JOSE is a library that offers various JSON Web functionalities. The vulnerability arises from the PBKDF2-based JWE key management algorithms, specifically around the
p2cThe Impact of CVE-2022-36083
The impact of this vulnerability is limited to users interacting with JWE decryption APIs with symmetric secrets from untrusted parties. This issue can potentially consume an unreasonable amount of CPU time in the user's environment.
Technical Details of CVE-2022-36083
This section delves into the technical aspects of the CVE.
Vulnerability Description
The vulnerability stems from the PBKDF2 iteration count not being limited in certain JOSE versions, allowing for resource exhaustion attacks.
Affected Systems and Versions
Versions >= 1.0 and < 1.28.2, >= 2.0 and < 2.0.6, >= 3.0 and < 3.20.4, and >= 4.0 and < 4.9.2 of JOSE are affected.
Exploitation Mechanism
Attackers could exploit this vulnerability by intentionally selecting a high PBES2 Count value, initiating CPU-bound computations, and causing excessive CPU consumption.
Mitigation and Prevention
This section outlines steps to mitigate and prevent exploitation of CVE-2022-36083.
Immediate Steps to Take
Users are advised to upgrade to versions 1.28.2, 2.0.6, 3.20.4, or 4.9.2 of JOSE to limit the PBKDF2 iteration count. Alternatively, they can adjust this limit using the
maxPBES2CountLong-Term Security Practices
It is recommended to limit the PBKDF2 iteration count or disable PBKDF2 altogether if users are unable to upgrade to the patched versions.
Patching and Updates
Users should ensure they are using JOSE versions that have implemented limits on the maximum PBKDF2 iteration count to mitigate the risk of resource exhaustion attacks.