Summary A vulnerability has been identified in Nimbus-JOSE-JWT-7.9, which is used in IBM Engineering Lifecycle Management – IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2023-52428 DESCRIPTION: Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service. CWE:CWE-770: Allocation of Resources Without Limits or Throttling CVSS Source: IBM X-Force CVSS Base score: 7.5 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— Jazz Foundation| 7.1.0 Jazz Foundation| 7.0.3 Jazz Foundation| 7.0.2 Remediation/Fixes STEPS TO APPLY THE REMEDIATION: Advising users who are on ELM 7.0, 7.0.1 or any other version below 7.0.2 to upgrade your products to Maintenance release 7.0.2 version as these products have reached end of life. Optionally, upgrade to the latest 7.1.0 version and apply below fix. Affected Product(s)| Version(s)| Remediation/Fix/Instructions —|—|— Jazz Foundation| 7.0.2| Download and install iFix033 or later Jazz Foundation| 7.0.3| Download and install iFix013 or later Jazz Foundation| 7.1.0| Download and install iFix002 or later Workarounds and Mitigations…Read More