4.Lock AbstractDigital

It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464). This severe vulnerability is simple to exploit and threatens the integrity of impacted systems.

An attacker could use this to cause a denial of service (system crash) or to expose sensitive information.

Updates for JOSE for C/C++ that mitigate this dangerous bug have been released. We strongly recommend that all impacted users apply the updates released by Debian, Debian LTS, Oracle, RedHat, Rocky Linux, and Ubuntu as soon as possible to safeguard their sensitive data and protect against potential security issues.

To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user, subscribe to our Linux Advisory Watch newsletter, and customize your advisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.

Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).