ApplicationInsights-Java icon indicating copy to clipboard operation
ApplicationInsights-Java copied to clipboard
verified publisher icon microsoft

CVE-2023-52428

Open mightymoogle opened this issue 1 year ago • 2 comments

Expected behavior

We expect no issues detected when .jar file is scanned with Sonatype Nexus. ApplicationInsights .jar file should include non-vulnerable library versions of Connect2id Nimbus JOSE+JWT (versions before 9.37.2 are vulnerable to CVE-2023-52428 according to https://nvd.nist.gov/vuln/detail/CVE-2023-52428).

Actual behavior

Our Sonatype Nexus detects CVE-2023-52428 in the ApplicationInsights .jar file (versions affected 3.2.0-BETA to latest 3.5.1) with root cause: applicationinsights-agent-3.5.1.jarinst/com/nimbusds/jose/crypto/PasswordBasedDecrypter.classdata[4.0-rc1, 9.37.2)

Description from CVE

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Explanation

The nimbus-jose-jwt package is vulnerable to Denial of Service (DoS) attacks. The decrypt() method in the PasswordBasedDecrypter class fails to properly validate the length of the JWE p2c header. A remote attacker can exploit this vulnerability by supplying an oversized PBES2Count value, causing the application to consume all available resources and ultimately leading to a DoS condition.

To Reproduce

Perform a Sonatype Nexus scan on the ApplicationInsights .jar file or a Docker image file that includes the ApplicationInsights .jar file.

System information

Application Insights Java 3.5.1 (GA)

Logs

None applicable

Screenshots

image

mightymoogle avatar Mar 13 '24 07:03 mightymoogle

@mightymoogle I understand your concern. However, that CVE hasn't listed the impacted version. I guess it's still under investigation? image

heyams avatar Mar 13 '24 17:03 heyams

Hello @heyams , you are correct - the GitHub page indeed does not have an affected version explicitly specified and the NVD page has an "awaiting analysis" banner for a while. Yet the description states that versions before 9.37.2 are affected, which can be further seen in the fix for PasswordBasedDecrypter - https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/. Vulnerability description at Sonatype

We also see other projects upgrading the libraries to fix the vulnerability: microsoft-authentication-library-for-android Wildfly

Whether you want to upgrade now or wait for the issue to be analyzed is fully up to you. We are not aware if the vulnerability actually affects ApplicationInsights directly.

mightymoogle avatar Mar 14 '24 06:03 mightymoogle