Bug 2302458 (CVE-2024-42459) - CVE-2024-42459 elliptic: nodejs/elliptic: EDDSA signature malleability due to missing signature length check
Summary: CVE-2024-42459 elliptic: nodejs/elliptic: EDDSA signature malleability due to...
Keywords:
Status: NEW
Alias: CVE-2024-42459
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2303787 2303781 2303782 2303783 2303784 2303785
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-02 07:20 UTC by OSIDB Bzimport
Modified: 2024-10-14 11:26 UTC (History)
93 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the NodeJS Elliptic package. When creating EDDSA signatures, the Elliptic package doesn't properly check the signature length, allowing zeros to be added or removed from the signature without invalidating it, which may result in confidentiality issues.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6738 0 None None None 2024-09-17 19:47:43 UTC
Red Hat Product Errata RHSA-2024:6779 0 None None None 2024-09-18 19:22:28 UTC
Red Hat Product Errata RHSA-2024:7759 0 None None None 2024-10-07 15:27:55 UTC
Red Hat Product Errata RHSA-2024:7994 0 None None None 2024-10-11 01:44:41 UTC

Description OSIDB Bzimport 2024-08-02 07:20:36 UTC
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

Comment 1 Alberto Gutierrez 2024-08-14 08:38:27 UTC
https://github.com/indutny/elliptic/pull/317 was merged 6 hours ago bumping th version to the 6.5.7 fixing:

CVE-2024-42459
CVE-2024-42460
CVE-2024-42461

NPM library published https://www.npmjs.com/package/elliptic

Comment 2 errata-xmlrpc 2024-09-17 19:47:42 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 8
  multicluster engine for Kubernetes 2.5 for RHEL 9

Via RHSA-2024:6738 https://access.redhat.com/errata/RHSA-2024:6738

Comment 3 errata-xmlrpc 2024-09-18 19:22:27 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2024:6779 https://access.redhat.com/errata/RHSA-2024:6779

Comment 5 errata-xmlrpc 2024-10-07 15:27:54 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.6 for RHEL 9
  multicluster engine for Kubernetes 2.6 for RHEL 8

Via RHSA-2024:7759 https://access.redhat.com/errata/RHSA-2024:7759

Comment 6 errata-xmlrpc 2024-10-11 01:44:40 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2024:7994 https://access.redhat.com/errata/RHSA-2024:7994


Note You need to log in before you can comment on or make changes to this bug.