CVE-2023-22899
Missing Cryptographic Check vulnerability in zip4j (Maven)
What is CVE-2023-22899 About?
Zip4j through 2.11.2, used in products like Threema, is vulnerable due to a missing MAC check during ZIP archive decryption. This flaw could allow attackers to tamper with encrypted archives without detection, potentially leading to data integrity issues. Exploitation would involve crafting a malicious ZIP archive and may not be trivial.
Affected Software
Technical Details
The vulnerability in Zip4j versions up to 2.11.2 (as integrated into applications like Threema) is a cryptographic flaw. Specifically, when decrypting a ZIP archive, the library does not consistently or correctly verify the Message Authentication Code (MAC). The MAC is crucial for ensuring the integrity and authenticity of encrypted data. Without a proper MAC check, an attacker could potentially modify an encrypted ZIP archive's contents after encryption without being detected during decryption. This could lead to the processed data being compromised or manipulated. The attack vector involves providing a maliciously altered, encrypted ZIP archive to a system using the vulnerable Zip4j library.
What is the Impact of CVE-2023-22899?
Successful exploitation may allow attackers to alter the contents of encrypted ZIP archives without detection, leading to data integrity compromise or the insertion of malicious payloads.
What is the Exploitability of CVE-2023-22899?
Exploitation of this vulnerability would involve crafting a modified encrypted ZIP archive that bypasses the missing MAC check. The complexity is likely moderate to high, as it requires cryptographic knowledge and understanding of the Zip4j's encryption implementation. There are no explicit authentication or privilege requirements beyond the ability to provide an encrypted ZIP archive to the target system that uses the vulnerable Zip4j library. This is typically a local attack, where the attacker needs to be able to supply the ZIP file to an application that processes it. Special conditions involve the specific encryption methods used within Zip4j and the attacker's ability to manipulate the ciphertext. Risk factors increase if the application relies heavily on the confidentiality and integrity assurances of encrypted ZIP files from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22899?
About the Fix from Resolved Security
This patch removes code that skipped AES authentication (MAC) verification when both the data descriptor flag was set and DEFLATE compression was used, thereby always verifying AES MAC regardless of compression or data descriptors. This fixes CVE-2023-22899 by preventing attackers from bypassing encryption integrity checks and exploiting crafted ZIP files to inject or alter data without detection.
Available Upgrade Options
- net.lingala.zip4j:zip4j
- <2.11.3 → Upgrade to 2.11.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://breakingthe3ma.app/files/Threema-PST22.pdf
- https://github.com/srikanth-lingala/zip4j/releases/tag/v2.11.3
- https://breakingthe3ma.app
- https://osv.dev/vulnerability/GHSA-2pj2-gchf-wmw7
- https://threema.ch/en/blog/posts/news-alleged-weaknesses-statement
- https://news.ycombinator.com/item?id=34316206
- https://github.com/srikanth-lingala/zip4j/issues/485
- https://breakingthe3ma.app/files/Threema-PST22.pdf
- https://github.com/srikanth-lingala/zip4j
- https://breakingthe3ma.app
What are Similar Vulnerabilities to CVE-2023-22899?
Similar Vulnerabilities: CVE-2023-28751 , CVE-2023-24891 , CVE-2023-36384 , CVE-2023-31122 , CVE-2023-31968
