CVE-2021-29445

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`.

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`.

### Impact [AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). ### Patches A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`. ### Credits Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

### Impact [AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). ### Patches A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`. ### Credits Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

jose-node-esm-runtime es un paquete npm que proporciona una serie de funciones criptográficas. En versiones anteriores a 3.11.4, el algoritmo de descifrado AES_CBC_HMAC_SHA2 (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) siempre ejecutaba tanto la comprobación de etiquetas HMAC como el descifrado CBC, si cometía un fallo "JWEDecryptionFailed" sería lanzado. Pero una posible diferencia observable en el tiempo cuando se produciría un error de relleno al descifrar el texto cifrado crea un padding oracle y un adversario podría ser capaz de hacer uso de ese oracle para descifrar datos sin conocer la clave de descifrado emitiendo un promedio de 128*b llamadas al padding oracle (donde b es el número de bytes en el bloque de texto cifrado). Se lanzó un parche que garantiza que la etiqueta HMAC se verifique antes de llevar a cabo el descifrado CBC. Las versiones corregidas son "superiores o iguales a 3.11.4". Los usuarios deben actualizar a "^ 3.11.4"