https://bugzilla.redhat.com/show_bug.cgi?id=2087214
Bug ID: 2087214 Summary: CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: saroy@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, anstephe@redhat.com, chazlett@redhat.com, dchen@redhat.com, drieden@redhat.com, emingora@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, gmalinko@redhat.com, ibek@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jochrist@redhat.com, jolee@redhat.com, jrokos@redhat.com, jschatte@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, kverlaen@redhat.com, mnovotny@redhat.com, pdelbell@redhat.com, pjindal@redhat.com, puntogil@libero.it, rguimara@redhat.com, rrajasek@redhat.com, tzimanyi@redhat.com Target Milestone: --- Classification: Other
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error.
The default settings are not affected by this CVE.
Only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical.
https://tanzu.vmware.com/security/cve-2022-22976