Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-52428 #3599

Closed
mightymoogle opened this issue Mar 13, 2024 · 2 comments · Fixed by #3605
Closed

CVE-2023-52428 #3599

mightymoogle opened this issue Mar 13, 2024 · 2 comments · Fixed by #3605
Labels
Needs: Attention 👋

Comments

@mightymoogle
Copy link

Expected behavior

We expect no issues detected when .jar file is scanned with Sonatype Nexus. ApplicationInsights .jar file should include non-vulnerable library versions of Connect2id Nimbus JOSE+JWT (versions before 9.37.2 are vulnerable to CVE-2023-52428 according to https://nvd.nist.gov/vuln/detail/CVE-2023-52428).

Actual behavior

Our Sonatype Nexus detects CVE-2023-52428 in the ApplicationInsights .jar file (versions affected 3.2.0-BETA to latest 3.5.1) with root cause:
applicationinsights-agent-3.5.1.jarinst/com/nimbusds/jose/crypto/PasswordBasedDecrypter.classdata[4.0-rc1, 9.37.2)

Description from CVE

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Explanation

The nimbus-jose-jwt package is vulnerable to Denial of Service (DoS) attacks. The decrypt() method in the PasswordBasedDecrypter class fails to properly validate the length of the JWE p2c header. A remote attacker can exploit this vulnerability by supplying an oversized PBES2Count value, causing the application to consume all available resources and ultimately leading to a DoS condition.

To Reproduce

Perform a Sonatype Nexus scan on the ApplicationInsights .jar file or a Docker image file that includes the ApplicationInsights .jar file.

System information

Application Insights Java 3.5.1 (GA)

Logs

None applicable

Screenshots

image
@heyams
Copy link
Contributor

heyams commented Mar 13, 2024

@mightymoogle I understand your concern. However, that CVE hasn't listed the impacted version. I guess it's still under investigation?
image

@mightymoogle
Copy link
Author

Hello @heyams , you are correct - the GitHub page indeed does not have an affected version explicitly specified and the NVD page has an "awaiting analysis" banner for a while. Yet the description states that versions before 9.37.2 are affected, which can be further seen in the fix for PasswordBasedDecrypter - https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/.

Vulnerability description at Sonatype

We also see other projects upgrading the libraries to fix the vulnerability:

microsoft-authentication-library-for-android
Wildfly

Whether you want to upgrade now or wait for the issue to be analyzed is fully up to you. We are not aware if the vulnerability actually affects ApplicationInsights directly.

@heyams heyams mentioned this issue Mar 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Attention 👋
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CVE-2023-52428 microsoft/ApplicationInsights-Java
2 participants
@mightymoogle @heyams