Consider downgrading to Nimbus 8

[jzheaux]

Due to a version incompatibility between oauth2-oidc-sdk:8.x and nimbus-jose-jwt:9.x, various users have reported friction with using Spring Security 5.4.x.

Since Spring Security doesn't rely on any nimbus-jose-jwt:9.x features, and since Nimbus will be supporting nimbus-jose-jwt:8.20.x for a longer time than normal, it seems like a win-win to change Spring Security 5.4.x to use nimbus-jose-jwt:8.20.x instead.

Anyone who needs 9.x features from nimbus-jose-jwt could declare their own dependency version in their applications.

[spring-projects-issues]

Fixed via e79141a

[ThanksForAllTheFish]

Unfortunately this broke nimbus-jose-jwt shaded json-smart, since that is available only in 9+. A new vulnerability was recently found in json-smart, https://nvd.nist.gov/vuln/detail/CVE-2021-27568. or at least, in my current setup (with Spring Boot), simply setting nimbus-jose-jwt.version=9.1.3 does not work, complaining at runtime of missing json-smart when using spring-security 5.4.5, but seems good with spring-security 5.4.2. Relevant gradle properties to have a seemingly working setup without json-smart with Spring Boot 2.4.3:

• in build.gradle

configurations.all {
  exclude module: "json-smart"
}
dependencies {
  implementation 'org.springframework.boot:spring-boot-starter-security'
  implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
  implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
}

• in gradle.properties

spring-security.version=5.4.2
nimbus-jose-jwt.version=9.1.3
oauth2-oidc-sdk.version=9.2.2 //not sure this is needed

And unfortunately Spring Security 5.4.2 has its own vulnerability, so it is a bit of egg-chicken problem

I will come up with a full issue, just don't have time right now to create a new project and tinker with its setup.

[erlioniel]

@ThanksForAllTheFish that's absolutely correct. We are struggling with the same CVE right now. However I think upgrade to nimbus 9.x won't solve the issue, but will hide it. The fix for json-smart library doesn't exist right now and doesn't look like it will be in the nearest future.

I opened an issue in nimbus repository as well: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/411/json-smart-critical-vulnerability-cve-2021

[ThanksForAllTheFish]

@erlioniel I guess this is not the right channel, but if I got it correctly with nimbus 9 json smart is shaded and optional, somehow you can remove the library from the classpath and still have JWT parsing working. That is what

configurations.all {
  exclude module: "json-smart"
}

does. After that you can run gradle dI --dependency json-smart --configuration runtimeClasspath and you will see that json-smart is not present anymore (which I think it means it will not be available on the runtime classpath, thus saving your application from the CVE).

[erlioniel]

@ThanksForAllTheFish the problem I'm stating is not that the dependency will present in the tree, but the fact that the dependency with vulnerability will be bundled without fix. Which will hide the problem, not solve it.

[barclay-reg]

@erlioniel and @jzheaux so as oauth2-oidc-sdk-9.2.2 has fixed the vulnerability CVE-2021-27568 - how to handle this with spring-boot-2.4.4 and spring-security-5.4.5 ?

[erlioniel]

@barclay-reg depends on what solution are you looking for. If you are looking for a fixed issue - using oidc-sdk 9.2.2 is a good option, so you have to force the particular version of the dependency. If you are looking for a fix in the report - I doubt it's possible right now, because json-smart will anyway be in dependencies, meaning Nexus IQ (or any other scan tool) will point it out.

For our project, we checked that the issue itself doesn't cause any data exposure and added this particular library as an exception. According to oidc-sdk devs json-smart won't be completely shadowed until version 10.x, so it's not clear when it will happen.

[erlioniel]

@barclay-reg @ThanksForAllTheFish and everyone interested in the issue - there is a fixed version of json-smart 2.4.1. So consider to force use of this version if you still struggle with this CVE

[barclay-reg]

@erlioniel many thanks for this hint - luckily 2.4.1 is back to java-8 (as 2.4 made the jump to java-11) .. although: the jdk-8 and jdk-7 (?) builds are failing ...

[jzheaux]

@barclay-reg Nimbus backported the related fix to oauth2-oidc-sdk:8.36.1 and oauth2-oidc-sdk:7.1.3.

Spring Boot 2.4.4 is on oauth2-oidc-sdk:8.36.1, so no action is necessary.

[erlioniel]

@jzheaux they backported the custom fix to 8.x, however I think the the correct solution will be to bump json-smart version for oauth-sdk & jose-jwt and then bump the dependency in spring security as well.

[jzheaux]

they backported the custom fix to 8.x

Thanks for sharing, @erlioniel, and for the tickets you filed to the Nimbus project to update the json-smart dependency.

then bump the dependency in spring security as well

I appreciate this suggestion. Generally, though, Spring Security only manages its direct dependencies. I think the result will be the same by updating to the latest 8.x on the next patch release.