CVE-2022-36083

Name of the Vulnerable Software and Affected Versions JOSE versions prior to v1.28.2 JOSE versions prior to v2.0.6 JOSE versions prior to v3.20.4 JOSE versions prior to v4.9.2

Description The PBKDF2-based JWE key management algorithms in JOSE expect a JOSE Header Parameter named p2c (PBES2 Count), which determines the number of PBKDF2 iterations to derive a CEK wrapping key. This parameter intentionally slows down the key derivation function to make password brute-force and dictionary attacks more expensive. However, this makes the PBES2 algorithms unsuitable for situations where the JWE comes from an untrusted source, as an adversary can pick an extremely high PBES2 Count value, initiating a CPU-bound computation that may take an unreasonable amount of time to finish. The impact is limited to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms.

Recommendations For versions prior to v1.28.2, update to v1.28.2 or later to limit the maximum PBKDF2 iteration count to 10000 by default. For versions prior to v2.0.6, update to v2.0.6 or later to limit the maximum PBKDF2 iteration count to 10000 by default. For versions prior to v3.20.4, update to v3.20.4 or later to limit the maximum PBKDF2 iteration count to 10000 by default. For versions prior to v4.9.2, update to v4.9.2 or later to limit the maximum PBKDF2 iteration count to 10000 by default. As a temporary workaround, consider using the keyManagementAlgorithms decryption option to disable accepting PBKDF2 altogether, or inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (p2c Header Parameter).