Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36056: Merge pull request from GHSA-8gw7-4j42-w388 · sigstore/cosign@80b79ed

Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.

CVE
#vulnerability#google#git#auth

Permalink

Browse files

Merge pull request from GHSA-8gw7-4j42-w388

* wip

Signed-off-by: Asra Ali [email protected]

more tests

Signed-off-by: Asra Ali [email protected]

finish tests

Signed-off-by: Asra Ali [email protected]

Add explicit testcase for failure in verifytlogentry

Signed-off-by: Asra Ali [email protected]

add testing for invalid provided bundle fails

Signed-off-by: Asra Ali [email protected]

update

Signed-off-by: Asra Ali [email protected]

address hayden comments

Signed-off-by: Asra Ali [email protected]

update

Signed-off-by: Asra Ali [email protected]

* fix: verify RekorBundle payload references blob

Co-authored-by: Cody Soyland [email protected] Co-authored-by: Asra Ali [email protected]

* Add test for invalid blob signature causing error

Signed-off-by: Hayden Blauzvern [email protected]

* Add tests for checking identity flags

Signed-off-by: Hayden Blauzvern [email protected]

* address bob’s comment

Signed-off-by: Asra Ali [email protected]

* add comment on intoto multisig

Signed-off-by: Asra Ali [email protected]

Signed-off-by: Asra Ali [email protected] Signed-off-by: Hayden Blauzvern [email protected] Co-authored-by: Cody Soyland [email protected] Co-authored-by: Hayden Blauzvern [email protected]

  • Loading branch information

Related news

Red Hat Security Advisory 2022-8827-01

Red Hat Security Advisory 2022-8827-01 - Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.

RHSA-2022:8827: Red Hat Security Advisory: RHACS 3.73 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24778: imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path * CVE-2022-36056: app-containers/cosign: false positive verification

GHSA-8gw7-4j42-w388: Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature

## Summary A number of vulnerabilities have been found in `cosign verify-blob`, where Cosign would successfully verify an artifact when verification should have failed. ## Vulnerability 1: Bundle mismatch causes invalid verification. ### Summary A cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. ### Details Cosign supports "bundles" which intend to allow offline verification of the signature and rekor inclusion. By using the --bundle flag in cosign sign-blob, cosign will create a JSON file called a "bundle". These bundles include three fields: base64Signature, cert, and rekorBundle. The desired behavior is that the verification of these bundles would: - verify the provided blob using the included signature and certificate - verify the rekorBundle SET - verify the rekorBundle payload references the given artifact. It appears that step three is not being performed, allowing "any old rekorBundle" to p...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907