serac commented 8 hours ago
Confirmed. We're analyzing feasibility of a backward-compatible patch and will follow up with release schedule shortly.
cveform:
[Suggested description] CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.
[Additional Information] any encoded network communication based on org.cryptacular.CiphertextHeader#decode(byte[]) is affected. xxx of new byte[xxx] can be controlled by client and can be up to 0x7ffffffd ,which caused 2G of memory consuming without demanding for any privilege.
one of the products using this vuln code is cas4.2.0. login flow of cas4.2.0 based on org.cryptacular.CiphertextHeader#decode(byte[]) ,Concretely speaking,the affected code is org.jasig.spring.webflow.plugin.EncryptedTranscoder#decode
besides,codebase for cas4.2.0 is https://github.com/apereo/cas-overlay-template/commit/7eaf9d7b5b94eb1ba5aea1b2cd6311a86bddd90b
[VulnerabilityType Other] Denial of Service
[Vendor of Product] http://www.cryptacular.org/
[Affected Product Code Base] cryptacular - 1.2.3
[Affected Component] org.cryptacular.CiphertextHeader#decode(byte[]) , https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153
[Attack Type] Remote
[Impact Denial of Service] true
[Attack Vectors] a crafted header of encoded data. e.g '\x00\x00\x00\x34\x7f\xff\xff\xfd'
[Discoverer] findneo
Use CVE-2020-7226.
update:
nonce = new byte[nonceLen];
b = new byte[keyLen];