Bug 2302458 (CVE-2024-42459)

Summary: CVE-2024-42459 elliptic: nodejs/elliptic: EDDSA signature malleability due to missing signature length check
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, agutierr, akostadi, alcohan, amasferr, anjoseph, asoldano, bbaranow, bdettelb, bmaxwell, brian.stansberry, caswilli, cbartlet, cdaley, cdewolf, chazlett, ckandaga, cmiranda, crizzo, darran.lofthouse, dhanak, dkreling, dmayorov, doconnor, dosoudil, dsimansk, ecerquei, erack, fjuma, gkamathe, gmalinko, gotiwari, gparvin, hkataria, ibek, istudens, ivassile, iweiss, janstey, jcantril, jchui, jhe, jhorak, jlledo, jprabhak, jrokos, jwendell, kaycoth, kingland, kshier, ktsao, kverlaen, lbainbri, lchilton, lgao, matzew, mjaros, mkudlej, mmakovy, mnovotny, mosmerov, msochure, msvehla, mvyas, nboldt, njean, nwallace, owatkins, pahickey, pcongius, pdelbell, pesilva, pierdipi, pjindal, pmackay, psrna, pvasanth, rcernich, rguimara, rhaigner, rhuss, rojacob, rstancel, rstepani, rtaniwa, sausingh, sdawley, sfeifer, smaestri, teagle, tjochec, tkral, tom.jenkinson, tpopela, twalsh, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the NodeJS Elliptic package. When creating EDDSA signatures, the Elliptic package doesn't properly check the signature length, allowing zeros to be added or removed from the signature without invalidating it, which may result in confidentiality issues.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2303781, 2303782, 2303783, 2303784, 2303785, 2303787    
Bug Blocks:    

Description OSIDB Bzimport 2024-08-02 07:20:36 UTC 
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
Comment 1 Alberto Gutierrez 2024-08-14 08:38:27 UTC 
https://github.com/indutny/elliptic/pull/317 was merged 6 hours ago bumping th version to the 6.5.7 fixing:

CVE-2024-42459
CVE-2024-42460
CVE-2024-42461

NPM library published https://www.npmjs.com/package/elliptic
Comment 2 errata-xmlrpc 2024-09-17 19:47:42 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 8
  multicluster engine for Kubernetes 2.5 for RHEL 9

Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738
Comment 3 errata-xmlrpc 2024-09-18 19:22:27 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6779 https://access.redhat.com/errata/RHSA-2024:6779
Comment 5 errata-xmlrpc 2024-10-07 15:27:54 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.6 for RHEL 9
  multicluster engine for Kubernetes 2.6 for RHEL 8

Via RHSA-2024:7759 https://access.redhat.com/errata/RHSA-2024:7759
Comment 6 errata-xmlrpc 2024-10-11 01:44:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2024:7994 https://access.redhat.com/errata/RHSA-2024:7994