CVE-2022-36083 in JOSE
Summary
by MITRE • 09/08/2022
JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/08/2022
The vulnerability identified as CVE-2022-36083 affects the JOSE library, a comprehensive implementation of JSON Web standards including JWA, JWS, JWE, JWT, JWK, and JWKS for various runtime environments. This library provides cryptographic functionality without external dependencies, utilizing native crypto implementations across Node.js, browsers, Cloudflare Workers, Electron, and Deno. The core issue stems from the PBKDF2-based JWE key management algorithms that rely on a specific header parameter called `p2c` or PBES2 Count to determine the number of PBKDF2 iterations required for deriving the Content Encryption Key (CEK) wrapping key. This parameter serves a crucial security purpose by intentionally increasing computational cost to make brute-force and dictionary attacks more expensive, thereby acting as a defense mechanism against password-based attacks.
The vulnerability arises when processing JWEs from untrusted sources, as adversaries can manipulate the `p2c` parameter to specify extremely high iteration counts that trigger CPU-intensive computations. This creates a potential denial-of-service scenario where legitimate users experience unreasonable processing delays or complete system resource exhaustion. The attack vector specifically targets the JWE decryption APIs when utilizing symmetric secrets for decryption, making it particularly dangerous in environments where untrusted JWEs might be processed without proper algorithm validation. The vulnerability is classified under CWE-400 as an excessive computation vulnerability, where the system's processing resources become consumed inappropriately due to malicious input parameters. The attack pattern aligns with ATT&CK technique T1496, specifically focusing on resource exhaustion attacks through computational overhead manipulation.
The impact of this vulnerability is directly proportional to how extensively the library is used for processing untrusted JWE content without proper validation mechanisms. Systems that fail to implement the `keyManagementAlgorithms` decryption option to restrict accepted key management algorithms become vulnerable to this attack. The affected versions of the JOSE library include v1.28.2, v2.0.6, v3.20.4, and v4.9.2, which introduced a default maximum PBKDF2 iteration count limit of 10,000 to mitigate this issue. However, users operating with older versions face significant exposure risks. The recommended mitigation strategy involves upgrading to the patched versions, but for those unable to upgrade, two alternative approaches exist: implementing the `keyManagementAlgorithms` decryption option to completely disable PBKDF2-based algorithms or manually inspecting JOSE headers before decryption to enforce reasonable `p2c` parameter limits. The vulnerability demonstrates the critical importance of input validation in cryptographic libraries, where seemingly benign parameters can become attack vectors when not properly constrained. Organizations using JOSE libraries for processing external JWE content should immediately implement these mitigation strategies to prevent potential system compromise through computational resource exhaustion attacks.