CVE-2024-29371
📋 TL;DR
This vulnerability allows attackers to cause Denial-of-Service (DoS) by sending malicious JWE tokens with extreme compression ratios to servers using jose4j. When processed, these 'zip bomb' tokens trigger excessive memory allocation and CPU consumption during decompression. Any system using vulnerable versions of jose4j for JWE token processing is affected.
💻 Affected Systems
- jose4j
📦 What is this software?
Jose4j by Jose4j Project
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion and CPU saturation, potentially requiring server restarts and causing extended downtime.
Likely Case
Service degradation or temporary unavailability affecting users, with potential cascading effects on dependent services.
If Mitigated
Minimal impact with proper rate limiting, input validation, and monitoring in place to detect and block malicious requests.
🎯 Exploit Status
The exploit requires crafting a malicious JWE token with extreme compression ratios, which is straightforward for attackers familiar with JWE format.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.6
Vendor Advisory: https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack
Restart Required: Yes
Instructions:
1. Update jose4j dependency to version 0.9.6 or later. 2. Update your project's dependency management file (pom.xml for Maven, build.gradle for Gradle). 3. Rebuild and redeploy your application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable JWE Compression
allDisable compression for JWE tokens in jose4j configuration to prevent decompression attacks.
Set DEFLATE compression algorithm to not be used in JWE processing configuration
Input Size Limiting
allImplement request size limits and input validation to reject excessively large or malformed JWE tokens.
Configure web server/application to limit maximum request size and validate JWE token structure
🧯 If You Can't Patch
- Implement strict rate limiting and request throttling to limit impact of DoS attempts
- Deploy WAF rules to detect and block malicious JWE patterns and implement monitoring for abnormal memory usage
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency version of jose4j. If version is below 0.9.6, you are vulnerable.Check Version:
For Maven: mvn dependency:tree | grep jose4j; For Gradle: gradle dependencies | grep jose4j; For manual check: inspect pom.xml or build.gradleVerify Fix Applied:
Verify that jose4j version is 0.9.6 or higher in your dependency management file and deployed application.📡 Detection & Monitoring
Log Indicators:
- Unusually high memory usage spikes
- Extended processing times for JWE token validation
- OutOfMemoryError exceptions in logs
- Increased garbage collection activity
Network Indicators:
- Large JWE tokens being sent to authentication/validation endpoints
- Sudden increase in request size to JWE processing endpoints
SIEM Query:
source="application_logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError") AND process="*jose4j*" OR (source="network_traffic" AND uri_path="*/auth*" OR "*/token*" AND request_size>100KB)