Security release of dev.sigstore:sigstore-java:1.2.0 is now available

32 views
Skip to first unread message

Appu Goundan

unread,
Jan 17, 2025, 12:18:40 PMJan 17
to sigsto...@googlegroups.com

Hello sigstore Community,


The Security Response Committee and maintainers of sigstore/sigstore-java would like

to announce the availability of sigstore/sigstore-java 1.2.0


This addresses the following CVE(s):


* CVE-2024-53267 (medium): Vulnerability with bundle verification (log entries) https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w 


* CVE-2024-54140 (low): Vulnerability with bundle verification (checkpoints)

https://github.com/sigstore/sigstore-java/security/advisories/GHSA-jp26-88mw-89qr

...


Upgrading to 1.2.0 is encouraged to fix these issues.


**Am I vulnerable?**


Signatures produced by sigstore-java are not compromised. Projects using sigstore-java's maven and gradle signing plugins are not affected by these issues.


If your project is verifying sigstore bundles using sigstore-java before v1.2.0, you are probably vulnerable.

Check your dependencies in your java projects. For build tools, the following typically work for single module projects `./gradlew :dependencies` or `mvn dependencies:list`


**How do I mitigate the vulnerability?**


Upgrading to sigstore-java 1.2.0 should mitigate the disclosed vulnerabilities.

If you are unable to upgrade, mitigations are available on the github advisories (CVE-2024-53267) (CVE-2024-54140)


A single mitigation for both CVEs can be achieved with the following:



Path bundleFile, artifact; // provided

var bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);

var rekorEntry = bundle.getEntries().get(0);

var artifactDigest = Files.asByteSource(artifact.toFile()).hash(Hashing.sha256()).asBytes();


// do regular keyless verification

try {

  var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();

  verifier.verify(artifact, bundle, VerificationOptions.empty());

  // verification passed!

} catch (KeylessVerificationException e) {

  // verification failed

}



// compare the rekor entry to what is expected (mitigate CVE-2024-53267)

var calculatedHashedRekord =

    Base64.toBase64String(

        HashedRekordRequest.newHashedRekordRequest(

                artifactDigest, Certificates.toPemBytes(Certificates.getLeaf(bundle.getCertPath())), bundle.getMessageSignature().get().getSignature())

            .toJsonPayload()

            .getBytes(StandardCharsets.UTF_8));

if (!Objects.equals(calculatedHashedRekord, rekorEntry.getBody())) {

  throw new Exception("Provided verification materials are inconsistent with log entry");

}


// verify the checkpoint signature (mitigate CVE-2024-54140)

var checkpoint = rekorEntry.getVerification().getInclusionProof().parsedCheckpoint();

var signedData = Splitter.on("\n\n").splitToList(rekorEntry.getVerification().getInclusionProof().getCheckpoint()).get(0) + "\n";


var tufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();

tufClient.update();

var trustedRoot = tufClient.getSigstoreTrustedRoot();

var tlog =  TransparencyLog.find(trustedRoot.getTLogs(), Hex.decode(rekorEntry.getLogID()), rekorEntry.getIntegratedTimeInstant());


if (!Verifiers.newVerifier(tlog.get().getPublicKey().toJavaPublicKey()).verify(signedData.getBytes(StandardCharsets.UTF_8), checkpoint.getSignatures().get(0).getSignature())) {

  throw new Exception("Checkpoint signature was invalid");

}




**How do I upgrade?**


Upgrade references of `dev.sigstore:sigstore-java:<version>` to `dev.sigstore:sigstore-java:1.2.0`


Reply all
Reply to author
Forward
0 new messages