CVE-2024-29371

Vulnerability

Overview

The vulnerability resides in the jose4j library, a Java implementation of JSON Object Signing and Encryption (JOSE). In versions prior to 0.9.6, the library does not properly limit the decompression of JSON Web Encryption (JWE) tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, which, when processed by design expands dramatically when decompressed. This leads to significant memory allocation and processing time during decompression on the server side [1].

Exploitation

Scenario

An attacker can exploit this vulnerability by sending a specially by sending a crafted JWE token to a server that uses jose4j to decrypt or process incoming tokens. The attack does not require authentication if the server accepts unauthenticated JWE tokens. The token itself is small in size, but upon decompression it expands to consume large amounts of memory and CPU resources, effectively causing a denial-of-service condition [1].

Impact

Successful exploitation results in a denial of service (DoS) where the affected server becomes unresponsive or crashes due to resource exhaustion. This can disrupt services that rely on jose4j for JWE processing JWE tokens, such as authentication or data exchange systems. The impact is limited to availability, with no direct data confidentiality or integrity impact [1].

Mitigation

The vulnerability is fixed in jose4j version 0.9.6. Users should upgrade to this version or later. There is recommended. There is no known workaround for the issue [1].