Headline
CVE-2022-36056: Merge pull request from GHSA-8gw7-4j42-w388 · sigstore/cosign@80b79ed
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.
Permalink
Browse files
Merge pull request from GHSA-8gw7-4j42-w388
* wip
Signed-off-by: Asra Ali [email protected]
more tests
Signed-off-by: Asra Ali [email protected]
finish tests
Signed-off-by: Asra Ali [email protected]
Add explicit testcase for failure in verifytlogentry
Signed-off-by: Asra Ali [email protected]
add testing for invalid provided bundle fails
Signed-off-by: Asra Ali [email protected]
update
Signed-off-by: Asra Ali [email protected]
address hayden comments
Signed-off-by: Asra Ali [email protected]
update
Signed-off-by: Asra Ali [email protected]
* fix: verify RekorBundle payload references blob
Co-authored-by: Cody Soyland [email protected] Co-authored-by: Asra Ali [email protected]
* Add test for invalid blob signature causing error
Signed-off-by: Hayden Blauzvern [email protected]
* Add tests for checking identity flags
Signed-off-by: Hayden Blauzvern [email protected]
* address bob’s comment
Signed-off-by: Asra Ali [email protected]
* add comment on intoto multisig
Signed-off-by: Asra Ali [email protected]
Signed-off-by: Asra Ali [email protected] Signed-off-by: Hayden Blauzvern [email protected] Co-authored-by: Cody Soyland [email protected] Co-authored-by: Hayden Blauzvern [email protected]
- Loading branch information
Related news
Red Hat Security Advisory 2022-8827-01 - Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes.
Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24778: imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path * CVE-2022-36056: app-containers/cosign: false positive verification
## Summary A number of vulnerabilities have been found in `cosign verify-blob`, where Cosign would successfully verify an artifact when verification should have failed. ## Vulnerability 1: Bundle mismatch causes invalid verification. ### Summary A cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. ### Details Cosign supports "bundles" which intend to allow offline verification of the signature and rekor inclusion. By using the --bundle flag in cosign sign-blob, cosign will create a JSON file called a "bundle". These bundles include three fields: base64Signature, cert, and rekorBundle. The desired behavior is that the verification of these bundles would: - verify the provided blob using the included signature and certificate - verify the rekorBundle SET - verify the rekorBundle payload references the given artifact. It appears that step three is not being performed, allowing "any old rekorBundle" to p...