Skip to content

github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack

Moderate severity GitHub Reviewed Published Jun 14, 2023 in lestrrat-go/jwx • Updated Jun 14, 2023

Package

gomod github.com/lestrrat-go/jwx (Go)

Affected versions

<= 1.2.25

Patched versions

1.2.26
gomod github.com/lestrrat-go/jwx/v2 (Go)
<= 2.0.10
2.0.11

Description

Summary

Decrypting AES-CBC encrypted JWE has Potential Padding Oracle Attack Vulnerability.

Details

On v2.0.10, decrypting AES-CBC encrypted JWE may return an error "failed to generate plaintext from decrypted blocks: invalid padding":

https://github.com/lestrrat-go/jwx/blob/8840ffd4afc5839f591ff0e9ba9034af52b1643e/jwe/internal/aescbc/aescbc.go#L210-L213

Reporting padding error causes Padding Oracle Attack Vulnerability.
RFC 7516 JSON Web Encryption (JWE) says that we MUST NOT do this.

11.5. Timing Attacks
To mitigate the attacks described in RFC 3218 [RFC3218], the
recipient MUST NOT distinguish between format, padding, and length
errors of encrypted keys. It is strongly recommended, in the event
of receiving an improperly formatted key, that the recipient
substitute a randomly generated CEK and proceed to the next step, to
mitigate timing attacks.

In addition, the time to remove padding depends on the length of the padding.
It may leak the length of the padding by Timing Attacks.

https://github.com/lestrrat-go/jwx/blob/796b2a9101cf7e7cb66455e4d97f3c158ee10904/jwe/internal/aescbc/aescbc.go#L33-L66

To mitigate Timing Attacks, it MUST be done in constant time.

Impact

The authentication tag is verified, so it is not an immediate attack.

References

@lestrrat lestrrat published to lestrrat-go/jwx Jun 14, 2023
Published to the GitHub Advisory Database Jun 14, 2023
Reviewed Jun 14, 2023
Last updated Jun 14, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-rm8v-mxj3-5rmq

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.