CVE-2019-17195
📋 TL;DR
CVE-2019-17195 is a vulnerability in Connect2id Nimbus JOSE+JWT library where uncaught exceptions during JWT parsing can cause application crashes or authentication bypass. This affects applications using vulnerable versions of the library for JWT processing. The vulnerability could lead to denial of service or unauthorized access.
💻 Affected Systems
- Connect2id Nimbus JOSE+JWT
📦 What is this software?
Communications Cloud Native Core Security Edge Protection Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Security Edge Protection Proxy →
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Enterprise Manager Base Platform by Oracle
Hadoop by Apache
Jd Edwards Enterpriseone Orchestrator by Oracle
View all CVEs affecting Jd Edwards Enterpriseone Orchestrator →
Nimbus Jose\+jwt by Connect2id
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Authentication bypass allowing unauthorized access to protected resources, or application crash leading to denial of service and potential information disclosure through error messages.
Likely Case
Application crashes causing denial of service, potentially exposing stack traces or error information that could aid attackers.
If Mitigated
Limited impact with proper exception handling and input validation in place, though underlying vulnerability remains.
🎯 Exploit Status
Exploitation requires sending malformed JWTs to vulnerable endpoints. No public exploit code was found in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.9 and later
Vendor Advisory: https://connect2id.com/blog/nimbus-jose-jwt-7-9
Restart Required: Yes
Instructions:
1. Update Nimbus JOSE+JWT dependency to version 7.9 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Input validation wrapper
allImplement custom JWT parsing with try-catch blocks to handle exceptions before they reach vulnerable library code.
🧯 If You Can't Patch
- Implement network-level filtering to block malformed JWT tokens at WAF or load balancer
- Add application-level exception handling to catch and log parsing errors without crashing
🔍 How to Verify
Check if Vulnerable:
Check dependency manifest (pom.xml, build.gradle, package.json) for Nimbus JOSE+JWT version below 7.9.Check Version:
grep -i 'nimbus-jose-jwt' pom.xml build.gradle package.json 2>/dev/null || find . -name '*.jar' -exec jar tf {} \; 2>/dev/null | grep -i nimbusVerify Fix Applied:
Verify dependency manifest shows version 7.9 or higher and test JWT parsing with malformed tokens.📡 Detection & Monitoring
Log Indicators:
- Uncaught exceptions in JWT parsing
- Application crashes with JWT-related stack traces
- Repeated authentication failures with malformed tokens
Network Indicators:
- HTTP 500 errors on authentication endpoints
- Unusual JWT token patterns in requests
SIEM Query:
source="application.logs" AND ("uncaught exception" AND "JWT") OR ("nimbus" AND "exception")🔗 References
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
- https://connect2id.com/blog/nimbus-jose-jwt-7-9
- https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a%40%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98%40%3Cdev.avro.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
- https://connect2id.com/blog/nimbus-jose-jwt-7-9
- https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a%40%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98%40%3Cdev.avro.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
