CVE-2017-12973: Medium severity connect2id nimbus jose+jwt vulnerability
Published Aug 20, 2017
·Updated
Connect2id Nimbus JOSE+JWT could provide weaker than expected security, caused by proceeding improperly after detection of an invalid HMAC in authenticated AES-CBC decryption. A remote attacker could exploit this vulnerability to conduct a padding oracle attack.
Other sources
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
Affected Software
128 affected components
Connect2id Nimbus Jose\+jwt=1.0
Connect2id Nimbus Jose\+jwt=1.1
Connect2id Nimbus Jose\+jwt=1.2
Connect2id Nimbus Jose\+jwt=1.3
Connect2id Nimbus Jose\+jwt=1.4
Connect2id Nimbus Jose\+jwt=1.5
Connect2id Nimbus Jose\+jwt=1.6
Connect2id Nimbus Jose\+jwt=1.7
Connect2id Nimbus Jose\+jwt=1.8
Connect2id Nimbus Jose\+jwt=1.9
Connect2id Nimbus Jose\+jwt=1.9.1
Connect2id Nimbus Jose\+jwt=1.10
Connect2id Nimbus Jose\+jwt=1.11
Connect2id Nimbus Jose\+jwt=1.12
Connect2id Nimbus Jose\+jwt=2.0
Connect2id Nimbus Jose\+jwt=2.0.1
Connect2id Nimbus Jose\+jwt=2.1
Connect2id Nimbus Jose\+jwt=2.1.1
Connect2id Nimbus Jose\+jwt=2.2
Connect2id Nimbus Jose\+jwt=2.3
Connect2id Nimbus Jose\+jwt=2.4
Connect2id Nimbus Jose\+jwt=2.5
Connect2id Nimbus Jose\+jwt=2.6
Connect2id Nimbus Jose\+jwt=2.7
Connect2id Nimbus Jose\+jwt=2.8
Connect2id Nimbus Jose\+jwt=2.9
Connect2id Nimbus Jose\+jwt=2.10
Connect2id Nimbus Jose\+jwt=2.10.1
Connect2id Nimbus Jose\+jwt=2.11.0
Connect2id Nimbus Jose\+jwt=2.12.0
Connect2id Nimbus Jose\+jwt=2.13.0
Connect2id Nimbus Jose\+jwt=2.13.1
Connect2id Nimbus Jose\+jwt=2.14
Connect2id Nimbus Jose\+jwt=2.15
Connect2id Nimbus Jose\+jwt=2.15.1
Connect2id Nimbus Jose\+jwt=2.15.2
Connect2id Nimbus Jose\+jwt=2.16
Connect2id Nimbus Jose\+jwt=2.17
Connect2id Nimbus Jose\+jwt=2.17.1
Connect2id Nimbus Jose\+jwt=2.17.2
Connect2id Nimbus Jose\+jwt=2.18
Connect2id Nimbus Jose\+jwt=2.18.1
Connect2id Nimbus Jose\+jwt=2.18.2
Connect2id Nimbus Jose\+jwt=2.19
Connect2id Nimbus Jose\+jwt=2.19.1
Connect2id Nimbus Jose\+jwt=2.20
Connect2id Nimbus Jose\+jwt=2.21
Connect2id Nimbus Jose\+jwt=2.22
Connect2id Nimbus Jose\+jwt=2.22.1
Connect2id Nimbus Jose\+jwt=2.23
Connect2id Nimbus Jose\+jwt=2.24
Connect2id Nimbus Jose\+jwt=2.25
Connect2id Nimbus Jose\+jwt=2.26
Connect2id Nimbus Jose\+jwt=2.26.1
Connect2id Nimbus Jose\+jwt=3.0
Connect2id Nimbus Jose\+jwt=3.1
Connect2id Nimbus Jose\+jwt=3.1.1
Connect2id Nimbus Jose\+jwt=3.1.2
Connect2id Nimbus Jose\+jwt=3.2
Connect2id Nimbus Jose\+jwt=3.2.1
Connect2id Nimbus Jose\+jwt=3.2.2
Connect2id Nimbus Jose\+jwt=3.3
Connect2id Nimbus Jose\+jwt=3.4
Connect2id Nimbus Jose\+jwt=3.5
Connect2id Nimbus Jose\+jwt=3.6
Connect2id Nimbus Jose\+jwt=3.7
Connect2id Nimbus Jose\+jwt=3.8
Connect2id Nimbus Jose\+jwt=3.8.1
Connect2id Nimbus Jose\+jwt=3.8.2
Connect2id Nimbus Jose\+jwt=3.9
Connect2id Nimbus Jose\+jwt=3.9.1
Connect2id Nimbus Jose\+jwt=3.9.2
Connect2id Nimbus Jose\+jwt=3.10
Connect2id Nimbus Jose\+jwt=4.0
Connect2id Nimbus Jose\+jwt=4.0.1
Connect2id Nimbus Jose\+jwt=4.1
Connect2id Nimbus Jose\+jwt=4.1.1
Connect2id Nimbus Jose\+jwt=4.2
Connect2id Nimbus Jose\+jwt=4.3
Connect2id Nimbus Jose\+jwt=4.3.1
Connect2id Nimbus Jose\+jwt=4.4
Connect2id Nimbus Jose\+jwt=4.5
Connect2id Nimbus Jose\+jwt=4.6
Connect2id Nimbus Jose\+jwt=4.7
Connect2id Nimbus Jose\+jwt=4.8
Connect2id Nimbus Jose\+jwt=4.9
Connect2id Nimbus Jose\+jwt=4.10
Connect2id Nimbus Jose\+jwt=4.11
Connect2id Nimbus Jose\+jwt=4.11.1
Connect2id Nimbus Jose\+jwt=4.11.2
Connect2id Nimbus Jose\+jwt=4.12
Connect2id Nimbus Jose\+jwt=4.13
Connect2id Nimbus Jose\+jwt=4.13.1
Connect2id Nimbus Jose\+jwt=4.14
Connect2id Nimbus Jose\+jwt=4.15
Connect2id Nimbus Jose\+jwt=4.15.1
Connect2id Nimbus Jose\+jwt=4.16
Connect2id Nimbus Jose\+jwt=4.16.1
Connect2id Nimbus Jose\+jwt=4.16.2
Connect2id Nimbus Jose\+jwt=4.17
Connect2id Nimbus Jose\+jwt=4.18
Connect2id Nimbus Jose\+jwt=4.19
Connect2id Nimbus Jose\+jwt=4.20
Connect2id Nimbus Jose\+jwt=4.21
Connect2id Nimbus Jose\+jwt=4.22
Connect2id Nimbus Jose\+jwt=4.23
Connect2id Nimbus Jose\+jwt=4.24
Connect2id Nimbus Jose\+jwt=4.25
Connect2id Nimbus Jose\+jwt=4.26
Connect2id Nimbus Jose\+jwt=4.26.1
Connect2id Nimbus Jose\+jwt=4.27
Connect2id Nimbus Jose\+jwt=4.27.1
Connect2id Nimbus Jose\+jwt=4.28
Connect2id Nimbus Jose\+jwt=4.29
Connect2id Nimbus Jose\+jwt=4.30
Connect2id Nimbus Jose\+jwt=4.31
Connect2id Nimbus Jose\+jwt=4.31.1
Connect2id Nimbus Jose\+jwt=4.32
Connect2id Nimbus Jose\+jwt=4.33
Connect2id Nimbus Jose\+jwt=4.34
Connect2id Nimbus Jose\+jwt=4.34.1
Connect2id Nimbus Jose\+jwt=4.34.2
Connect2id Nimbus Jose\+jwt=4.35
Connect2id Nimbus Jose\+jwt=4.36.1
Connect2id Nimbus Jose\+jwt=4.37
Connect2id Nimbus Jose\+jwt=4.37.1
Connect2id Nimbus Jose\+jwt=4.38
IBM GDE<=3.0.0.2
Remediation
Event History
Aug 20, 2017
CVE Published
via MITRE·04:00 PM
Data Sourced
via MITRE·04:00 PM
Description
Frequently Asked Questions
1
What is the severity of CVE-2017-12973?
CVE-2017-12973 is classified as a medium severity vulnerability.
2
How do I fix CVE-2017-12973?
To fix CVE-2017-12973, update to the latest version of Connect2id Nimbus JOSE+JWT, specifically version 4.0 or later.
3
What software is vulnerable to CVE-2017-12973?
CVE-2017-12973 affects Connect2id Nimbus JOSE+JWT versions prior to 4.0 and IBM GDE versions up to 3.0.0.2.
4
What kind of attack can be exploited using CVE-2017-12973?
CVE-2017-12973 can be exploited to conduct padding oracle attacks on authenticated AES-CBC decryption.
5
Is my application at risk if it uses affected versions for CVE-2017-12973?
Yes, applications using affected versions of Connect2id Nimbus JOSE+JWT and IBM GDE are at risk and should be updated.