Sigstore Java has a vulnerability with bundle verification of integratedTime
🔗 CVE IDs covered (1)
📋 Description
Summary
Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing
Details
- PR #1008 erroneously removed verification of the integrated (Rekor entry) time) against the Fulcio certificate.
- PR #1185 re-added this verification with enhancements that adhere to the Sigstore verification spec.
- old sigstore-conformance test for this check was built incorrectly
PoC
A new bundle was added to sigstore-conformance to test this: sigstore-java:2.0.0 can be tested against it and shown to be unexpectedly passing
Verify this bundle against a.txt
$ git clone [email protected]:sigstore/sigstore-java
$ git checkout v2.0.0
$ ./gradlew :sigstore-cli:build
$ tar -xf sigstore-cli/build/distributions/sigstore-cli-*-SNAPSHOT.tar --strip-components 1
$ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt
# expect error but none
Impact
This vulnerability impacts only users verifying bundles with dev.sigstore:sigstore-java:2.0.0. Older versions are not affected, it is fixed in dev.sigstore:sigstore-java:2.1.0
A malicious actor may exploit this if they were able to access a users system and exfiltrate the temporary private key used during signing and then reuse an old fulcio certificate later without requiring direct access to the user's credentials.
Users may protect themselves by re-verifying their artifacts using the newest sigstore-java or another current sigstore client. Transparency logs may also be audited for unauthorized signatures for a suspected reused identity.
🎯 Affected products1
- maven/dev.sigstore:sigstore-java:= 2.0.0
🔗 References (6)
- https://github.com/sigstore/sigstore-java/security/advisories/GHSA-qqw8-7c2r-jxch
- https://github.com/sigstore/sigstore-java/pull/1008
- https://github.com/sigstore/sigstore-java/pull/1185
- https://github.com/sigstore/sigstore-java/commit/4b7a49ebb1813f5b1ff113bcad63246358222d61
- https://github.com/sigstore/sigstore-java/commit/b529335728fc5cfb574161b4b3c06859a8a2aa88
- https://github.com/advisories/GHSA-qqw8-7c2r-jxch