chore(all): update module github.com/lestrrat-go/jwx/v2 to v2.0.21 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/lestrrat-go/jwx/v2	v2.0.19 -> v2.0.21

GitHub Vulnerability Alerts

CVE-2024-28122

Summary

This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

Details

The attacker needs to obtain a valid public key to compress the payload. It needs to be valid so that the recipient can use to successfully decompress the payload. Furthermore in context JWT processing in the v2 versions, the recipient must explicitly allow JWE handling .

The attacker then crafts a message with high compression ratio, e.g. a payload with very high frequency of repeating patterns that can decompress to a much larger size. If the payload is large enough, recipient who is decompressing the data will have to allocate a large amount of memory, which then can lead to a denial of service.

The original report includes a reference to [1], but there are some very subtle differences between this library and the aforementioned issue. The most important aspect is that the referenced issue focuses on JWT processing, whereas this library is intentionally divided into parts that comprise JOSE, i.e. JWT, JWS, JWE, JWK. In particular, v2 of this library does not attempt to handle JWT payload enveloped in a JWE message automatically (v1 attempted to do this automatically, but it was never stable).

Reflecting this subtle difference, the approach taken to mitigate this vulnerability is slightly different from the referenced issue. The referenced issue limits the size of JWT when parsing, but the fixes for this library limits the maximum size of the decompressed data when decrypting JWE messages. Therefore the fix in this library is applicable regardless of the usage context, and a limit is now imposed on the size of the message that our JWE implementation can handle.

Proof of Concept

Modified from the original report to fit the vulnerability better:

// The value below just needs to be "large enough" so that the it puts enough strain on the
// recipient's environment. The value below is a safe size on my machine to run the test
// without causing problems. When you increase the payload size, at some point the processing
// will be slow enough to virtually freeze the program or cause a memory allocation error
const payloadSize = 1 << 31

privkey, err := rsa.GenerateKey(rand.Reader, 2048)
require.NoError(t, err, `rsa.GenerateKey should succeed`)
pubkey := &privkey.PublicKey
payload := strings.Repeat("x", payloadSize)

encrypted, err := jwe.Encrypt([]byte(payload), jwe.WithKey(jwa.RSA_OAEP, pubkey), jwe.WithContentEncryption("A128CBC-HS256"), jwe.WithCompress(jwa.Deflate))
require.NoError(t, err, `jwe.Encrypt should succeed`)
_, err = jwe.Decrypt(encrypted, jwe.WithKey(jwa.RSA_OAEP, privkey)) // Will be allocating large amounts of memory
require.Error(t, err, `jwe.Decrypt should fail`)

References

[1] CVE-2024-21319

---

Release Notes

lestrrat-go/jwx (github.com/lestrrat-go/jwx/v2)

v2.0.21

Compare Source

v2.0.21 07 Mar 2024

[Security]

• [jwe] Added jwe.Settings(jwe.WithMaxDecompressBufferSize(int64)) to specify the
  maximum size of a decompressed JWE payload. The default value is 10MB. If you
  are compressing payloads greater than this and want to decompress it during
  a call to jwe.Decrypt, you need to explicitly set a value large enough to
  hold that data.

  The same option can be passed to jwe.Decrypt to control this behavior on
  a per-message basis.

• [jwe] Added documentation stating that jwe.WithMaxBufferSize option will be
  renamed in future versions, i.e. v3

v2.0.20

Compare Source

v2.0.20 20 Feb 2024

[New Features]

• [jwe] Added jwe.Settings(WithMaxBufferSize(int64)) to set the maximum size of
  internal buffers. The default value is 256MB. Most users do not need to change
  this value.
• [jws] Allow jws.WithCompact() and jws.WithJSON() to be passed to jws.Parse() and
  jws.Verify(). These options control the expected serialization format for the
  JWS message.
• [jwt] Add jwt.WithCompactOnly() to specify that only compact serialization can
  be used for jwt.Parse(). Previously, by virtue of jws.Parse() allowing either
  JSON or Compact serialization format, jwt.Parse() also alloed JSON serialization
  where as RFC7519 explicitly states that only compact serialization should be
  used. For backward compatibility the default behavior is not changed, but you
  can set this global option for jwt: jwt.Settings(jwt.WithCompactOnly(true))

[Miscellaneous]

• Internal key conversions should now allow private keys to be used in place of
  public keys. This would allow you to pass private keys where public keys are
  expected.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.