Impact

Jsrsasign supports RSA PKCS#1 v1.5 (i.e. RSAES-PKCS1-v1_5) and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability.

• If you don't use RSA PKCS1-v1_5 or RSA-OAEP decryption, this vulnerability is not affected.
• Risk to forge contents of encrypted message is very low.
• Risk to raise memory corruption is low since jsrsasign uses BigInteger class.

Patches

Users using RSA PKCS1-v1_5 or RSA-OAEP decryption should upgrade to 8.0.18.

Workarounds

Reject RSA PKCS1-v1_5 or RSA-OAEP encrypted message with unnecessary prepending zeros.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-14967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967
https://vuldb.com/?id.157124
https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt
kjur/jsrsasign#439

References

• GHSA-xxxq-chmp-67g4
• https://nvd.nist.gov/vuln/detail/CVE-2020-14967
• kjur/jsrsasign#439
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967
• https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt
• https://vuldb.com/?id.157124
• https://github.com/kjur/jsrsasign/releases/tag/8.0.17
• https://github.com/kjur/jsrsasign/releases/tag/8.0.18
• https://kjur.github.io/jsrsasign/
• https://www.npmjs.com/package/jsrsasign
• https://security.netapp.com/advisory/ntap-20200724-0001/