CVE-2022-23649 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-23649 Interim 1 8 2023-06-12T23:27:37Z current 2022-02-22T02:47:36Z 2023-06-12T23:27:37Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-23649 Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate cosign into believing the entry was stored in Rekor even though it wasn't. The vulnerability has been patched in v1.5.2 of Cosign. The `signature` in the `signedEntryTimestamp` provided by Rekor is now compared to the `signature` that is being verified. If these don't match, then an error is returned. If a valid bundle is copied to a different signature, verification should fail. Cosign output now only informs the user that certificates were verified if a certificate was in fact verified. There is currently no known workaround. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP4 SUSE Linux Enterprise Module for Basesystem 15 SP4 openSUSE Tumbleweed cosign cosign-1.12.0-150400.3.6.1 cosign-1.5.2-1.1 cosign-1.5.2-150400.1.7 cosign-1.5.2-150400.1.7 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 cosign-1.12.0-150400.3.6.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 cosign-1.5.2-1.1 as a component of openSUSE Tumbleweed cosign as a component of SUSE Linux Enterprise Module for Basesystem 15 SP4 Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate cosign into believing the entry was stored in Rekor even though it wasn't. The vulnerability has been patched in v1.5.2 of Cosign. The `signature` in the `signedEntryTimestamp` provided by Rekor is now compared to the `signature` that is being verified. If these don't match, then an error is returned. If a valid bundle is copied to a different signature, verification should fail. Cosign output now only informs the user that certificates were verified if a certificate was in fact verified. There is currently no known workaround. CVE-2022-23649 SUSE Linux Enterprise Module for Basesystem 15 SP4:cosign-1.5.2-150400.1.7 SUSE Linux Enterprise Module for Basesystem 15 SP5:cosign-1.12.0-150400.3.6.1 openSUSE Tumbleweed:cosign-1.5.2-1.1 SUSE Linux Enterprise Module for Basesystem 15 SP4:cosign moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N