Bug 2317724 (CVE-2024-48949)

Summary: CVE-2024-48949 elliptic: Missing Validation in Elliptic's EDDSA Signature Verification
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, akostadi, alcohan, amasferr, anjoseph, bdettelb, btarraso, cbartlet, cdaley, chazlett, dmayorov, doconnor, erack, gkamathe, gotiwari, gparvin, jcantril, jchui, jhe, jhorak, jlledo, jprabhak, jwendell, ktsao, lbainbri, lchilton, mjaros, mkudlej, mmakovy, mvyas, nboldt, njean, owatkins, pahickey, psrna, rcernich, rhaigner, rojacob, rtaniwa, sdawley, sfeifer, teagle, tjochec, tkral, tpopela, twalsh, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2317791, 2317786, 2317787, 2317788, 2317789, 2317790    
Bug Blocks:    

Description OSIDB Bzimport 2024-10-10 01:01:02 UTC 
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
Comment 1 errata-xmlrpc 2024-10-23 10:08:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:8351 https://access.redhat.com/errata/RHSA-2024:8351
Comment 2 errata-xmlrpc 2024-10-28 09:58:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:8507 https://access.redhat.com/errata/RHSA-2024:8507
Comment 3 Borja Tarraso 2024-11-05 12:22:51 UTC 
CVE-2024-48949 has been solved in https://access.redhat.com/errata/RHSA-2024:6738 for Multicluster Engine for Kubernetes 2.5.7
Comment 4 Borja Tarraso 2024-11-05 12:35:48 UTC 
CVE-2024-48949 has been solved in https://access.redhat.com/errata/RHSA-2024:6779 for Red Hat Advanced Cluster Management at 2.10.6
Comment 5 errata-xmlrpc 2024-11-25 18:24:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2024:10236 https://access.redhat.com/errata/RHSA-2024:10236