oss-sec mailing list archives
CVE-2021-41190 OCI distribution and image spec: "content-type" confusion
From: Vincent Batts <vbatts () hashbangbash com>
Date: Fri, 19 Nov 2021 10:18:20 -0500
Severity: MEDIUM (moderate in Github GHSA) Description: The specifications themselves needed additional clarification so that implementations of container registries, and the clients that parse data received from registries can have more securely defined behavior. The undefined behavior this advisory addresses is a "type confusion" where a JSON document for a container's manifest could masquerade as both an image-index or a manifest without modification to the digest, relying only on the HTTP `Content-type` header provided by the registry. This behavior would have been mitigated by the presence of the `mediaType` field in these JSON documents. As such a notable, but non-breaking change introduced in these releases is un-reserving the `mediaType` field for use, and actively encouraging it's use. Advisory links: - https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m - https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190 - https://groups.google.com/a/opencontainers.org/g/dev/c/ugWJ5ujnqV8/m/Yot9yHkGAAAJ Release links: - https://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1 - https://github.com/opencontainers/image-spec/releases/tag/v1.0.2 Workarounds: Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields. Expect releases of container clients that can fetch from registries, as well as registries themselves.
Attachment:
signature.asc
Description:
Current thread:
- CVE-2021-41190 OCI distribution and image spec: "content-type" confusion Vincent Batts (Nov 19)