CVE-2024-29903: Cosign malicious artifacts can cause machine-wide DoS
Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates.
As an example, these lines demonstrate the problem:
This Get() method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice.
The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests.
References
- github.com/advisories/GHSA-95pr-fxf5-86gv
- github.com/sigstore/cosign
- github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go
- github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go
- github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
- github.com/sigstore/cosign/releases/tag/v2.2.4
- github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv
- nvd.nist.gov/vuln/detail/CVE-2024-29903
Code Behaviors & Features
Detect and mitigate CVE-2024-29903 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →