Bug 2196656 (CVE-2023-30551) - CVE-2023-30551 rekor: compressed archives can result in OOM conditions
Summary: CVE-2023-30551 rekor: compressed archives can result in OOM conditions
Keywords:
Status: NEW
Alias: CVE-2023-30551
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2196653
TreeView+ depends on / blocked
 
Reported: 2023-05-09 18:16 UTC by juneau
Modified: 2024-02-27 20:49 UTC (History)
26 users (show)

Fixed In Version: rekor 1.1.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Rekor. Versions prior to 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing an APK file submitted to Rekor can also cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:49:19 UTC
Red Hat Product Errata RHSA-2023:7323 0 None None None 2023-11-21 11:28:23 UTC

Description juneau 2023-05-09 18:16:45 UTC
CVE-2023-30551:

Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

Reference:
https://github.com/sigstore/rekor/security/advisories/GHSA-2h5h-59f5-c5x9

Upstream patch:
https://github.com/sigstore/rekor/commit/cf42ace82667025fe128f7a50cf6b4cdff51cc48

Comment 6 errata-xmlrpc 2023-11-21 11:28:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:7323 https://access.redhat.com/errata/RHSA-2023:7323

Comment 7 errata-xmlrpc 2024-02-27 20:49:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198


Note You need to log in before you can comment on or make changes to this bug.