Bug 2196656 (CVE-2023-30551)
Summary: | CVE-2023-30551 rekor: compressed archives can result in OOM conditions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | juneau |
Component: | vulnerability | Assignee: | Sayan Biswas <sabiswas> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | apjagtap, asatyam, bdettelb, dfreiber, dhanak, diagrawa, dsimansk, dymurray, jburrell, jmatthew, kshier, kverlaen, lball, matzew, mnovotny, nweather, rguimara, rhuss, rjohnson, rogbas, skontopo, stcannon, vkumar, whayutin, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rekor 1.1.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Rekor. Versions prior to 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing an APK file submitted to Rekor can also cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2196653 |
Description
juneau
2023-05-09 18:16:45 UTC
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:7323 https://access.redhat.com/errata/RHSA-2023:7323 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198 |