BIT-drupal-2021-41184
Denial of Service vulnerability in jquery-ui (npm)
What is BIT-drupal-2021-41184 About?
This vulnerability in JWE key management algorithms allows for a Denial of Service attack by manipulating the 'p2c' (PBES2 Count) header parameter. An attacker can set this parameter to an excessively large number, which causes disproportionate computational consumption. Exploitation is plausible if an application processes JWEs from untrusted sources without validating cryptographic parameters.
Affected Software
- jquery-ui
- <1.13.0
- org.webjars.npm:jquery-ui
- <1.13.0
- jQuery.UI.Combined
- <1.13.0
- jquery-ui-rails
- <7.0.0
Technical Details
JWE key management algorithms relying on PBKDF2 use the 'p2c' (PBES2 Count) JOSE Header Parameter to specify the number of PBKDF2 iterations for deriving a Content Encryption Key (CEK) wrapping key. This parameter is designed to increase the computational cost of brute-force attacks. However, this vulnerability arises when an attacker crafts a JWE where the 'p2c' parameter is set to an extremely high, malicious value. When the receiving application attempts to process this JWE and derive the key, the excessive number of PBKDF2 iterations consumes a disproportionate amount of computational resources, leading to a Denial of Service condition by exhausting CPU cycles and memory.
What is the Impact of BIT-drupal-2021-41184?
Successful exploitation may allow attackers to exhaust system resources, leading to a Denial of Service by making the application unresponsive or unavailable when processing malicious JWEs.
What is the Exploitability of BIT-drupal-2021-41184?
Exploitation involves crafting a JWE with a malformed 'p2c' parameter, which is of moderate complexity. The attacker would need to be able to submit JWEs for processing by the target system. No specific authentication beyond what is required to submit a JWE is typically needed, and privilege requirements are low as the vulnerability lies in cryptographic processing. This is commonly a remote attack vector, where the malicious JWE is sent over a network. The likelihood of exploitation increases if the application processes JWEs from untrusted or unauthenticated sources without implementing safeguards to cap the 'p2c' iteration count at a reasonable maximum.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| gabrielolivra | Link | PoC for CVE-2021-41184 |
What are the Available Fixes for BIT-drupal-2021-41184?
Available Upgrade Options
- jquery-ui-rails
- <7.0.0 → Upgrade to 7.0.0
- org.webjars.npm:jquery-ui
- <1.13.0 → Upgrade to 1.13.0
- jquery-ui
- <1.13.0 → Upgrade to 1.13.0
- jQuery.UI.Combined
- <1.13.0 → Upgrade to 1.13.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
- https://nvd.nist.gov/vuln/detail/CVE-2021-41184
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
- https://security.netapp.com/advisory/ntap-20211118-0004/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://www.tenable.com/security/tns-2022-09
- https://www.drupal.org/sa-core-2022-001
What are Similar Vulnerabilities to BIT-drupal-2021-41184?
Similar Vulnerabilities: CVE-2023-49292 , CVE-2023-49291 , CVE-2019-1010188 , CVE-2019-1010189 , CVE-2019-1010190
