Consider downgrading to Nimbus 8

[jzheaux]

Due to a version incompatibility between oauth2-oidc-sdk:8.x and nimbus-jose-jwt:9.x, various users have reported friction with using Spring Security 5.4.x.

Since Spring Security doesn't rely on any nimbus-jose-jwt:9.x features, and since Nimbus will be supporting nimbus-jose-jwt:8.20.x for a longer time than normal, it seems like a win-win to change Spring Security 5.4.x to use nimbus-jose-jwt:8.20.x instead.

Anyone who needs 9.x features from nimbus-jose-jwt could declare their own dependency version in their applications.

[spring-projects-issues]

Fixed via e79141a

[ThanksForAllTheFish]

Unfortunately this broke nimbus-jose-jwt shaded json-smart, since that is available only in 9+. A new vulnerability was recently found in json-smart, https://nvd.nist.gov/vuln/detail/CVE-2021-27568. or at least, in my current setup (with Spring Boot), simply setting nimbus-jose-jwt.version=9.1.3 does not work, complaining at runtime of missing json-smart when using spring-security 5.4.5, but seems good with spring-security 5.4.2. Relevant gradle properties to have a seemingly working setup without json-smart with Spring Boot 2.4.3:

• in build.gradle

configurations.all {
  exclude module: "json-smart"
}
dependencies {
  implementation 'org.springframework.boot:spring-boot-starter-security'
  implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
  implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
}

• in gradle.properties

spring-security.version=5.4.2
nimbus-jose-jwt.version=9.1.3
oauth2-oidc-sdk.version=9.2.2 //not sure this is needed

And unfortunately Spring Security 5.4.2 has its own vulnerability, so it is a bit of egg-chicken problem

I will come up with a full issue, just don't have time right now to create a new project and tinker with its setup.

[erlioniel]

@ThanksForAllTheFish that's absolutely correct. We are struggling with the same CVE right now. However I think upgrade to nimbus 9.x won't solve the issue, but will hide it. The fix for json-smart library doesn't exist right now and doesn't look like it will be in the nearest future.

I opened an issue in nimbus repository as well: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/411/json-smart-critical-vulnerability-cve-2021

[ThanksForAllTheFish]

@erlioniel I guess this is not the right channel, but if I got it correctly with nimbus 9 json smart is shaded and optional, somehow you can remove the library from the classpath and still have JWT parsing working. That is what

configurations.all {
  exclude module: "json-smart"
}

does. After that you can run gradle dI --dependency json-smart --configuration runtimeClasspath and you will see that json-smart is not present anymore (which I think it means it will not be available on the runtime classpath, thus saving your application from the CVE).

[erlioniel]

@ThanksForAllTheFish the problem I'm stating is not that the dependency will present in the tree, but the fact that the dependency with vulnerability will be bundled without fix. Which will hide the problem, not solve it.