CVE-2024-23332

Summary

CVE-2024-23332 is a vulnerability affecting the Notary Project, a toolset designed to secure software supply chains. An attacker controlling a compromised container registry can provide outdated OCI artifacts, such as images, with signatures that are no longer valid. This makes these artifacts susceptible to any exploits they may contain. Notary Project allows artifact publishers to control the validity period of artifact signatures during the signing process. By using shorter signature validity periods and periodically resigning artifacts, artifact producers can ensure consumers receive up-to-date artifacts. It's essential for consumers to use a strict or equivalent trust policy to enforce signature expiry. The Notary Project offers flexible signature validation options, such as permissive, audit, and skip, to accommodate various scenarios, including emergency deployments or alternative validation methods. Additionally, the Notary Project supports revocation to ensure signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates, signaling consumers that the corresponding artifact is no longer approved.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.