Headline
RHSA-2023:4411: Red Hat Security Advisory: cjose security update
An update for cjose is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to provide a truncated Authentication Tag and modify the JWE.
Synopsis
Important: cjose security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for cjose is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
CJose is C library implementing the Javascript Object Signing and Encryption (JOSE).
Security Fix(es):
- cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
- Red Hat Enterprise Linux Server - AUS 9.2 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
- Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
- Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x
Fixes
- BZ - 2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
Red Hat Enterprise Linux for x86_64 9
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
x86_64
cjose-0.6.1-13.el9_2.i686.rpm
SHA-256: 0b6266f8ab20daf450d5d490780d7517c0fb1bbb72510284cf21246908f8b0c2
cjose-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 8077a8f694b4b05d8712a1614f940d10ab41a30b3bcc5b32fc40d4bc5a1aec82
cjose-debuginfo-0.6.1-13.el9_2.i686.rpm
SHA-256: 4b3c98a26b01762e011225d224d98bc6314a23ec0cf0cf815be9fd69a41710e8
cjose-debuginfo-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 08187649350460b07264a96b03b3ec5135b9958609f5512ee73d44a58a784d4e
cjose-debugsource-0.6.1-13.el9_2.i686.rpm
SHA-256: 65d9ae02f6a1b8b299fd66d34cad55624566a4083a82714bb458ccf0b017057c
cjose-debugsource-0.6.1-13.el9_2.x86_64.rpm
SHA-256: a7eecc49bb40573d82956630dddbf34fe9c35e410b4354a223f7d11b64055ef3
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
x86_64
cjose-0.6.1-13.el9_2.i686.rpm
SHA-256: 0b6266f8ab20daf450d5d490780d7517c0fb1bbb72510284cf21246908f8b0c2
cjose-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 8077a8f694b4b05d8712a1614f940d10ab41a30b3bcc5b32fc40d4bc5a1aec82
cjose-debuginfo-0.6.1-13.el9_2.i686.rpm
SHA-256: 4b3c98a26b01762e011225d224d98bc6314a23ec0cf0cf815be9fd69a41710e8
cjose-debuginfo-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 08187649350460b07264a96b03b3ec5135b9958609f5512ee73d44a58a784d4e
cjose-debugsource-0.6.1-13.el9_2.i686.rpm
SHA-256: 65d9ae02f6a1b8b299fd66d34cad55624566a4083a82714bb458ccf0b017057c
cjose-debugsource-0.6.1-13.el9_2.x86_64.rpm
SHA-256: a7eecc49bb40573d82956630dddbf34fe9c35e410b4354a223f7d11b64055ef3
Red Hat Enterprise Linux Server - AUS 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
x86_64
cjose-0.6.1-13.el9_2.i686.rpm
SHA-256: 0b6266f8ab20daf450d5d490780d7517c0fb1bbb72510284cf21246908f8b0c2
cjose-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 8077a8f694b4b05d8712a1614f940d10ab41a30b3bcc5b32fc40d4bc5a1aec82
cjose-debuginfo-0.6.1-13.el9_2.i686.rpm
SHA-256: 4b3c98a26b01762e011225d224d98bc6314a23ec0cf0cf815be9fd69a41710e8
cjose-debuginfo-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 08187649350460b07264a96b03b3ec5135b9958609f5512ee73d44a58a784d4e
cjose-debugsource-0.6.1-13.el9_2.i686.rpm
SHA-256: 65d9ae02f6a1b8b299fd66d34cad55624566a4083a82714bb458ccf0b017057c
cjose-debugsource-0.6.1-13.el9_2.x86_64.rpm
SHA-256: a7eecc49bb40573d82956630dddbf34fe9c35e410b4354a223f7d11b64055ef3
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
s390x
cjose-0.6.1-13.el9_2.s390x.rpm
SHA-256: dddadd241209ebc9868fd39ebbd107a0c12fcea33873822f28bdb48feeb788c0
cjose-debuginfo-0.6.1-13.el9_2.s390x.rpm
SHA-256: 0d0f50c51294578ec9e550a54b400674b86e2f84a3e97fd8ac76b1d12620f9d9
cjose-debugsource-0.6.1-13.el9_2.s390x.rpm
SHA-256: 49bc91a011ec3351718480300f4337901ba5b98372c3debc8495d98e30c21c73
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
s390x
cjose-0.6.1-13.el9_2.s390x.rpm
SHA-256: dddadd241209ebc9868fd39ebbd107a0c12fcea33873822f28bdb48feeb788c0
cjose-debuginfo-0.6.1-13.el9_2.s390x.rpm
SHA-256: 0d0f50c51294578ec9e550a54b400674b86e2f84a3e97fd8ac76b1d12620f9d9
cjose-debugsource-0.6.1-13.el9_2.s390x.rpm
SHA-256: 49bc91a011ec3351718480300f4337901ba5b98372c3debc8495d98e30c21c73
Red Hat Enterprise Linux for Power, little endian 9
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
ppc64le
cjose-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 7f14458ff84c807617e4bceb3f40c0f049f7ec4b7e298db784e1f37f93243f53
cjose-debuginfo-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 64300333e49c44d15272faebf8393e4e577127c8fc91e48a56b493c1e3e89186
cjose-debugsource-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 340189f4b793f804ec0ef55f7479c4646e920db305548dcdca79bb52c849a0f6
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
ppc64le
cjose-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 7f14458ff84c807617e4bceb3f40c0f049f7ec4b7e298db784e1f37f93243f53
cjose-debuginfo-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 64300333e49c44d15272faebf8393e4e577127c8fc91e48a56b493c1e3e89186
cjose-debugsource-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 340189f4b793f804ec0ef55f7479c4646e920db305548dcdca79bb52c849a0f6
Red Hat Enterprise Linux for ARM 64 9
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
aarch64
cjose-0.6.1-13.el9_2.aarch64.rpm
SHA-256: 86142b9f034b3be356bb7f498ab1519b56612a63958f0b3ad1c86f3958c952ec
cjose-debuginfo-0.6.1-13.el9_2.aarch64.rpm
SHA-256: e62433f03ac69e5b781d3d2b0477130c582e1f47561eeaabc59ebda1fa9ac4c4
cjose-debugsource-0.6.1-13.el9_2.aarch64.rpm
SHA-256: f2d23be1b055af530821dc94db97501836cb3f9bacc0c6c828ec6462276c8154
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
aarch64
cjose-0.6.1-13.el9_2.aarch64.rpm
SHA-256: 86142b9f034b3be356bb7f498ab1519b56612a63958f0b3ad1c86f3958c952ec
cjose-debuginfo-0.6.1-13.el9_2.aarch64.rpm
SHA-256: e62433f03ac69e5b781d3d2b0477130c582e1f47561eeaabc59ebda1fa9ac4c4
cjose-debugsource-0.6.1-13.el9_2.aarch64.rpm
SHA-256: f2d23be1b055af530821dc94db97501836cb3f9bacc0c6c828ec6462276c8154
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
ppc64le
cjose-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 7f14458ff84c807617e4bceb3f40c0f049f7ec4b7e298db784e1f37f93243f53
cjose-debuginfo-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 64300333e49c44d15272faebf8393e4e577127c8fc91e48a56b493c1e3e89186
cjose-debugsource-0.6.1-13.el9_2.ppc64le.rpm
SHA-256: 340189f4b793f804ec0ef55f7479c4646e920db305548dcdca79bb52c849a0f6
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
x86_64
cjose-0.6.1-13.el9_2.i686.rpm
SHA-256: 0b6266f8ab20daf450d5d490780d7517c0fb1bbb72510284cf21246908f8b0c2
cjose-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 8077a8f694b4b05d8712a1614f940d10ab41a30b3bcc5b32fc40d4bc5a1aec82
cjose-debuginfo-0.6.1-13.el9_2.i686.rpm
SHA-256: 4b3c98a26b01762e011225d224d98bc6314a23ec0cf0cf815be9fd69a41710e8
cjose-debuginfo-0.6.1-13.el9_2.x86_64.rpm
SHA-256: 08187649350460b07264a96b03b3ec5135b9958609f5512ee73d44a58a784d4e
cjose-debugsource-0.6.1-13.el9_2.i686.rpm
SHA-256: 65d9ae02f6a1b8b299fd66d34cad55624566a4083a82714bb458ccf0b017057c
cjose-debugsource-0.6.1-13.el9_2.x86_64.rpm
SHA-256: a7eecc49bb40573d82956630dddbf34fe9c35e410b4354a223f7d11b64055ef3
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
aarch64
cjose-0.6.1-13.el9_2.aarch64.rpm
SHA-256: 86142b9f034b3be356bb7f498ab1519b56612a63958f0b3ad1c86f3958c952ec
cjose-debuginfo-0.6.1-13.el9_2.aarch64.rpm
SHA-256: e62433f03ac69e5b781d3d2b0477130c582e1f47561eeaabc59ebda1fa9ac4c4
cjose-debugsource-0.6.1-13.el9_2.aarch64.rpm
SHA-256: f2d23be1b055af530821dc94db97501836cb3f9bacc0c6c828ec6462276c8154
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2
SRPM
cjose-0.6.1-13.el9_2.src.rpm
SHA-256: a8e7c671afb9303085e3e43ae27ad41684fb6109684ee61c6ab75183c601c69b
s390x
cjose-0.6.1-13.el9_2.s390x.rpm
SHA-256: dddadd241209ebc9868fd39ebbd107a0c12fcea33873822f28bdb48feeb788c0
cjose-debuginfo-0.6.1-13.el9_2.s390x.rpm
SHA-256: 0d0f50c51294578ec9e550a54b400674b86e2f84a3e97fd8ac76b1d12620f9d9
cjose-debugsource-0.6.1-13.el9_2.s390x.rpm
SHA-256: 49bc91a011ec3351718480300f4337901ba5b98372c3debc8495d98e30c21c73
Related news
Debian Linux Security Advisory 5472-1 - It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.
Red Hat Security Advisory 2023-4429-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4417-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of ...
Red Hat Security Advisory 2023-4411-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
Red Hat Security Advisory 2023-4410-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4409-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4408-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for cjose is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryptio...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorre...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets ...
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).