IT10701: JWE DECRYPT ACTION AND GATEWAYSCRIPT CRYPTO AND JOSE MODULES MIGHT BE VULNERABLE TO THE PADDING ORACLE ATTACK
A fix is available
Closed as program error.
The JWE decrypt action and GatewayScript crypto and JOSE modules might be vulnerable to the padding oracle attack in some scenarios. Any decryption operation that uses these components might face this security exposure.
Sign the encrypted data, and put a verify operation before the decrypt operation.
Affects users who decrypt untrusted data using either the JWE decrypt action or GatewayScript programs that perform decrypt operations that use the crypto or JOSE modules. The JWE decrypt action and GatewayScript crypto and JOSE modules may be vulnerable to the 'padding oracle attack' in some scenarios. Any decryption operation that uses these components faces this security exposure.
Fix is available in 220.127.116.11
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels