zipcve
This is about CVE Denial of service vulnerability with zipped JWE
An attacker could exploit this vulnerability by crafting a malicious JSON Web Encryption (JWE) token with a high compression ratio. This token, when processed by a server, leads to excessive memory allocation and processing time during decompression, causing a denial-of-service (DoS) condition.
It's important to note that the attacker must have access to the public encrypt key registered with the IDP (Entra ID) for successful exploitation.
The fix in System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.Tokens.JsonWebToken versions 5.7.0, 6.34.0, and 7.1.2 and above prevents the issue where a deflated token expands to a large size prior to failing token validation for encrypted tokens (JWE). The fix applies the maximum token size (250K default) for expansion.
This is an unauthenticated attack, a possible defense is to monitor memory spikes and correlate to an inbound IP or service. If encrypted tokens are not expected, custom code would be needed to examine inbound requests. Monitor any increases in Out of memories errors across services.
While a complete revert is not recommended as token size should be bounded.
The size of an acceptable token size can be increased to int.MaxValue.
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions