CVE-2024-23332

Name of the Vulnerable Software and Affected Versions The Notary Project (affected versions not specified)

Description An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as permissive instead of strict) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. The Notary Project offers various signature validation options such as permissive, audit, and skip to support various scenarios. Artifact publishers can control the validity period of artifacts by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts allows artifact producers to ensure that their consumers will only receive up-to-date artifacts.

Recommendations To resolve the issue, artifact publishers should specify signature expiry during the signing process and use shorter signature validity periods along with processes to periodically resign artifacts. Artifact consumers should use a strict or equivalent trust policy that enforces signature expiry. As a temporary workaround, consider disabling the use of permissive trust policies until a more secure configuration is implemented. Restrict access to compromised container registries to minimize the risk of exploitation. Avoid using outdated versions of OCI artifacts until the issue is resolved. The Notary Project supports revocation to ensure signature freshness, and artifact publishers can sign with short-lived certificates and revoke older certificates when necessary.