Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-47534 for github.com/theupdateframework/go-tuf 0.7.0 #2237

Closed
onelapahead opened this issue Oct 10, 2024 · 4 comments
Closed

CVE-2024-47534 for github.com/theupdateframework/go-tuf 0.7.0 #2237

onelapahead opened this issue Oct 10, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@onelapahead
Copy link

onelapahead commented Oct 10, 2024
edited
Loading

Description

Using cosign, sigstore, and rekor as Go dependencies in our tooling, our CVE scanners (trivy / AquaDB) has flagged a new HIGH CVE that states:

The go-tuf client inconsistently traces the delegations. For example, if targets delegate to A, and to B, and B delegates to C, then the client should trace the delegations in the order A then B then C but it may incorrectly trace the delegations B->C->A.

https://avd.aquasec.com/nvd/2024/cve-2024-47534/

Looking at the code briefly, the issue that rekor still uses 0.7.0 of TUF rather than migrating to TUF 2.x (which it looks like cosign has upgraded to). Its unclear how complex this upgrade would be, and if theres any migration involved.

Questions

  1. Can the maintainers explain how users might be affected and/or vulnerable ?
  2. What is the timeline to this being patched ? Once its patched, is there any migration involved for users? Based on Proposal to deprecate unused Rekor kinds in public instance: alpine, rpm, rfc3161, jar, tuf #2080, there was hope of deprecating TUF use ?

NOTE: I did not go through the vulnerability disclosure process because 1) this CVE is already publicly disclosed, 2) its not clear if rekor is actually impacted by this CVE.
@onelapahead onelapahead added the enhancement New feature or request label Oct 10, 2024
@haydentherapper
Copy link
Contributor

This vulnerability does not affect rekor.

We will leave this open as we investigate upgrading to go-TUF v2.

@onelapahead
Copy link
Author

Awesome thank you @haydentherapper !

@sinke237
Copy link

sinke237 commented Oct 11, 2024
edited
Loading

Hi @onelapahead ,
Thank you for pointing this out.
I previously contacted the maintainers of aquasec/trivy about this issue.
Their response was that they need to wait for rekor to update from v0.7.0 to v2.0.1 (which includes the fix).
Given my passion for resolving this issue, I continued my research and found this forum.

Hi @haydentherapper ,
I'm reaching out to clarify your statement regarding the vulnerability not affecting rekor. While you mentioned it doesn't impact rekor, I found several rekor files referencing github.com/theupdateframework/go-tuf v0.7.0 (see attached screenshot).
PS: I have not made any modification to the indicated branch on the screenshot
Screenshot from 2024-10-11 09-11-40

My passion for this issue led me here, and I'd appreciate your insights on this matter.

@burgerdev burgerdev mentioned this issue Oct 11, 2024
Merged
3 tasks
@haydentherapper
Copy link
Contributor

go-tuf v0.7.0 is not affected by the vulnerability. I've discussed this with the go-tuf maintainers and they'll be updated the GHSA.

Even if v0.7.0 was affected, our usage of go-tuf in Rekor does not use the vulnerable API. We won't be prioritizing an update to go-tuf v2 as the type will be deprecated - #2080

@haydentherapper haydentherapper closed this as not planned Won't fix, can't repro, duplicate, stale Oct 11, 2024
@binbin-li binbin-li mentioned this issue Oct 15, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@haydentherapper @onelapahead @sinke237