CVE-2024-56138
📋 TL;DR
This vulnerability in notation-go allows attackers to use revoked or compromised certificates to generate malicious timestamp signatures during OCI artifact signing. This could lead to denial of service in CI/CD pipelines when signature verification fails. Users of notation-go for signing/verifying container images are affected.
💻 Affected Systems
- notaryproject/notation-go
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of CI/CD pipelines through DoS attacks, allowing malicious artifacts to appear timestamped with revoked certificates, causing verification failures and operational downtime.
Likely Case
DoS scenarios in automated build systems where timestamp verification fails due to revoked certificates, causing pipeline failures and deployment delays.
If Mitigated
Minimal impact with proper certificate management and monitoring, though verification failures could still occur if revoked certificates are used.
🎯 Exploit Status
Exploitation requires man-in-the-middle position or ability to inject compromised certificates into the timestamp signing process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.0-rc.2 and later
Vendor Advisory: https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v
Restart Required: No
Instructions:
1. Update notation-go to version 1.3.0-rc.2 or later. 2. For Go projects: run 'go get github.com/notaryproject/notation-go@v1.3.0-rc.2'. 3. Rebuild and redeploy any applications using notation-go.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states there are no known workarounds for this vulnerability
🧯 If You Can't Patch
- Implement strict network controls to prevent man-in-the-middle attacks on timestamp authority connections
- Monitor and audit all timestamp signature verification failures for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if notation-go version is below 1.3.0-rc.2 in your Go modules or dependenciesCheck Version:
go list -m github.com/notaryproject/notation-goVerify Fix Applied:
Verify notation-go version is 1.3.0-rc.2 or higher and test timestamp signature verification with known revoked certificates📡 Detection & Monitoring
Log Indicators:
- Failed timestamp signature verifications
- Certificate revocation check failures
- Unexpected certificate chain changes during signing
Network Indicators:
- Unusual connections to timestamp authority servers
- Certificate chain modifications in transit
SIEM Query:
source="notation-go" AND ("certificate revocation" OR "timestamp verification failed")