Go JOSE JSON Web Encryption Decryption Panic Vulnerability

A denial-of-service vulnerability has been identified in the Go JOSE library, specifically in versions prior to 4.1.4 and 3.0.5. The issue arises during the decryption of JSON Web Encryption (JWE) objects when the 'alg' field specifies a key wrapping algorithm (excluding A128GCMKW, A192GCMKW, and A256GCMKW) and the 'encrypted_key' field is empty. This situation causes a panic, as the 'cipher.KeyUnwrap()' function attempts to process a zero-length encrypted key. The vulnerability can be triggered by parsing encrypted JWE data with accepted key algorithms that include key wrapping algorithms, or by directly calling 'cipher.KeyUnwrap()' with a ciphertext shorter than 16 bytes.

Impact

Exploitation of this vulnerability leads to a panic, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, parse a JWE object using the 'ParseEncrypted()', 'ParseEncryptedJSON()', or 'ParseEncryptedCompact()' functions, while including key wrapping algorithms in the 'keyEncryptionAlgorithms' parameter. Ensure that the JWE object is constructed such that the 'alg' field indicates a key wrapping algorithm (excluding the exceptions) and the 'encrypted_key' field is empty. Alternatively, the vulnerability can be reproduced by directly calling 'cipher.KeyUnwrap()' with a ciphertext parameter less than 16 bytes long.

Remediation

Users can upgrade to Go JOSE versions 4.1.4 or 3.0.5, where this vulnerability has been fixed. If upgrading is not immediately possible, JWE objects can be prevalidated to ensure the 'encrypted_key' field is not empty, especially when accepting JWE Compact Serialization.