OCI Manifest Type Confusion Issue (CWE-843)

[cbilgin23]

Due Date: 2022-09-30

A low severity vulnerability has been discovered in your project.

Project Name: test

Scanner Name: dependabot

Cwe ID: 843

Cwe Name: Access of Resource Using Incompatible Type (Type Confusion)

Cwe Link: https://cwe.mitre.org/data/definitions/843.html

File: go.sum

Packages:

• github.com/docker/distribution:v2.7.1+incompatible

References:

• https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg
• https://github.com/opencontainers/image-spec/pull/411
• https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
• https://github.com/advisories/GHSA-qq97-vm5h-rrhg

Training(Secure Code Warrior):

• Name: Access of Resource Using Incompatible Type ('Type Confusion')

• Description: The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/web/memory/typeconfusion/go/vanilla

• Videos:

  • https://media.securecodewarrior.com/v2/Module_49_Type_Confusion_v2.mp4

    ---

Tool Description: Summary: OCI Manifest Type Confusion Issue. Description: ### Impact

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.

Patches

Upgrade to at least v2.8.0-beta.1 if you are running v2.x release. If you use the code from the main branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586.

Workarounds

There is no way to work around this issue without patching.

References

Due to an oversight in the OCI Image Specification that removed the embedded mediaType field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.

For more information

If you have any questions or comments about this advisory:

• Open an issue in distribution
• Open an issue in distribution-spec
• Email us at cncf-distribution-security@lists.cncf.io

Kondukto Link: http://80.kondukto.local/projects/6331ad74ef14f4953e572991/vulns/appsec?page=1&perPage=15&id=in:6336c278ac49fe7403108d7e

[cbilgin23]

The issue has been closed by Kondukto since it is marked as won't fix.