Bug 1220726 (CVE-2023-51775)

Summary: VUL-0: CVE-2023-51775: jose4j: denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Michael Calmer <mc>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, mc
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395628/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-51775:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-01 06:58:04 UTC 
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-51775
https://www.cve.org/CVERecord?id=CVE-2023-51775
https://bitbucket.org/b_c/jose4j/issues/212
Comment 1 Michael Calmer 2024-03-01 10:20:22 UTC 
I made a SR to  Devel:Galaxy:Manager:4.3 - should go out with the next Maintenance update for SUMA 4.3

For 5.0 we will try to update to 0.9.5 - planned for Beta 2

Java:packages was updated to 0.9.5 as well.
Comment 8 Maintenance Automation 2024-05-06 12:30:14 UTC 
SUSE-SU-2024:1532-1: An update that solves one vulnerability, contains one feature and has 33 security fixes can now be installed.

Category: security (important)
Bug References: 1170848, 1208572, 1214340, 1214387, 1216085, 1217204, 1217874, 1218764, 1218805, 1218931, 1218957, 1219061, 1219233, 1219634, 1219875, 1220001, 1220101, 1220169, 1220194, 1220221, 1220376, 1220705, 1220726, 1220903, 1220980, 1221111, 1221182, 1221279, 1221465, 1221571, 1221784, 1221922, 1222110, 1222347
CVE References: CVE-2023-51775
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33591](https://smelt.suse.de/incident/33591/)
Sources used:
SUSE Manager Proxy 4.3 (src):
 release-notes-susemanager-proxy-4.3.12-150400.3.82.3
SUSE Manager Retail Branch Server 4.3 (src):
 release-notes-susemanager-proxy-4.3.12-150400.3.82.3
SUSE Manager Server 4.3 (src):
 release-notes-susemanager-4.3.12-150400.3.108.2
openSUSE Leap 15.4 (src):
 release-notes-susemanager-proxy-4.3.12-150400.3.82.3, release-notes-susemanager-4.3.12-150400.3.108.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-05-06 12:31:20 UTC 
SUSE-SU-2024:1507-1: An update that solves one vulnerability, contains one feature and has 32 security fixes can now be installed.

Category: security (moderate)
Bug References: 1170848, 1208572, 1214340, 1214387, 1216085, 1217204, 1217874, 1218764, 1218805, 1218931, 1218957, 1219061, 1219233, 1219634, 1219875, 1220101, 1220169, 1220194, 1220221, 1220376, 1220705, 1220726, 1220903, 1220980, 1221111, 1221182, 1221279, 1221465, 1221571, 1221784, 1221922, 1222110, 1222347
CVE References: CVE-2023-51775
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33406](https://smelt.suse.de/incident/33406/)
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src):
 spacewalk-certs-tools-4.3.23-150400.3.28.5, spacewalk-client-tools-4.3.19-150400.3.27.5, uyuni-common-libs-4.3.10-150400.3.18.4, mgr-daemon-4.3.9-150400.3.15.5, spacewalk-web-4.3.38-150400.3.42.6, spacewalk-backend-4.3.28-150400.3.41.7, spacecmd-4.3.27-150400.3.36.5
SUSE Manager Server 4.3 Module 4.3 (src):
 smdba-1.7.13-0.150400.4.12.4, susemanager-docs_en-4.3-150400.9.56.4, uyuni-reportdb-schema-4.3.10-150400.3.15.6, susemanager-4.3.35-150400.3.48.6, spacewalk-backend-4.3.28-150400.3.41.7, spacewalk-java-4.3.73-150400.3.79.1, susemanager-sync-data-4.3.17-150400.3.25.4, cobbler-3.3.3-150400.5.42.5, jose4j-0.5.1-150400.3.9.4, susemanager-sls-4.3.41-150400.3.47.6, spacecmd-4.3.27-150400.3.36.5, uyuni-common-libs-4.3.10-150400.3.18.4, spacewalk-certs-tools-4.3.23-150400.3.28.5, spacewalk-web-4.3.38-150400.3.42.6, inter-server-sync-0.3.3-150400.3.30.4, susemanager-schema-4.3.25-150400.3.39.5, supportutils-plugin-susemanager-4.3.11-150400.3.21.4, spacewalk-client-tools-4.3.19-150400.3.27.5, image-sync-formula-0.1.1711646883.4a44375-150400.3.18.4, spacewalk-config-4.3.13-150400.3.15.5, subscription-matcher-0.37-150400.3.22.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.