CVE-2023-30551: Rekor Open Source Software Supply Chain Transparency Log - Out of Memory Vulnerability

Rekor is an open source software that provides a transparency log for the software supply chain. However, there has been a vulnerability identified in versions prior to 1.1.1 that may cause the software to crash due to out of memory (OOM) conditions. In this post, we will discuss the vulnerability, the potential exploits, and the solution provided in Rekor version 1.1.1. Links to official documentation, code snippets, and exploit details will be provided throughout the post to make it as comprehensive as possible.

Vulnerability Description

The vulnerability (CVE-2023-30551) is related to Rekor not checking the sizes of archive metadata files before loading them into memory. This can lead to an OOM crash if specific conditions are met in JAR and APK files submitted to Rekor. The specific conditions are:

Exploit Details

An attacker may craft a malicious JAR or APK file with large file sizes in the META-INF directory, or with large .SIGN and .PKGINFO files, respectively. By submitting these crafted files to Rekor, the attacker can cause out of memory crashes in the application, potentially rendering it unusable for other users.

There are no known workarounds for this vulnerability. The only solution is to update Rekor to version 1.1.1.

Patching the Vulnerability

To patch this vulnerability, users need to upgrade to Rekor version 1.1.1. This version introduces checks on the file sizes of archive metadata files before reading them into memory. This mitigates the risk of OOM crashes when parsing large JAR and APK files.

Changing the verify function in the code can patch this vulnerability

def verify(jar_file):
    with zipfile.ZipFile(jar_file, "r") as z:
        for file in z.namelist():
            if file.startswith("META-INF/"):
                # Check the file size before loading it into memory
                file_info = z.getinfo(file)
                if file_info.file_size > MAX_FILE_SIZE:
                    raise ValueError("File size exceeds the allowed limit")
                content = z.read(file)
                # Rest of the verification process...

This code snippet provides a simple example of how the file size can be checked before loading the archive metadata file into memory. In this case, MAX_FILE_SIZE is a predefined constant representing the maximum allowed file size. If the file size exceeds this limit, a ValueError is raised.

For more information on Rekor and the vulnerability, you can visit the following links

1. Rekor GitHub Repository - https://github.com/projectrekor/rekor
2. CVE-2023-30551 Official Details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30551

Conclusion

CVE-2023-30551 is a critical vulnerability in Rekor that can lead to out of memory crashes when parsing large JAR or APK files. Users are advised to update their Rekor installations to version 1.1.1, which includes a patch for this issue. By updating Rekor, you can ensure that your software supply chain transparency log remains safe and functional.

Timeline

Published on: 05/08/2023 16:15:00 UTC
Last modified on: 05/12/2023 16:27:00 UTC