Bug 2067461 (CVE-2022-24773) - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure
Summary: CVE-2022-24773 node-forge: Signature verification leniency in checking `Diges...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2069027 2069028 2069029 2069030 2069031 2069032 2069034 2069036 2069225 2069608 2069609 2069611 2069033 2069035 2069223 2069226 2078888 2078889 2078890 2102577
Blocks: 2067462
TreeView+ depends on / blocked
 
Reported: 2022-03-23 20:54 UTC by Pedro Sampaio
Modified: 2022-08-16 16:50 UTC (History)
100 users (show)

Fixed In Version: node-forge 1.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the node-forge library when verifying the signature on the ASN.1 structure in RSA PKCS#1 v1.5. This flaw allows an attacker to obtain successful verification for invalid DigestInfo structure, affecting the integrity of the attacked resource.
Clone Of:
Environment:
Last Closed: 2022-05-06 00:46:17 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1681 0 None None None 2022-05-03 16:43:51 UTC
Red Hat Product Errata RHSA-2022:1739 0 None None None 2022-05-05 18:03:11 UTC

Description Pedro Sampaio 2022-03-23 20:54:55 UTC
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr
https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2

Comment 3 Avinash Hanwate 2022-03-28 04:43:26 UTC
Created cockatrice tracking bugs for this issue:

Affects: fedora-all [bug 2069028]


Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2069030]


Created dotnet3.1 tracking bugs for this issue:

Affects: fedora-all [bug 2069027]


Created golang-ariga-atlas tracking bugs for this issue:

Affects: fedora-all [bug 2069031]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2069036]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2069032]


Created grpc tracking bugs for this issue:

Affects: fedora-all [bug 2069033]


Created openvas-gsa tracking bugs for this issue:

Affects: fedora-all [bug 2069034]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2069035]

Comment 10 errata-xmlrpc 2022-05-03 16:43:45 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681

Comment 11 errata-xmlrpc 2022-05-05 18:03:05 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739

Comment 12 Product Security DevOps Team 2022-05-06 00:46:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24773


Note You need to log in before you can comment on or make changes to this bug.