Rekor COSE v0.0.1 Entry Type Nil Pointer Dereference Vulnerability

A nil pointer dereference vulnerability has been identified in the Rekor software supply chain transparency log, specifically in versions through 1.4.3. The issue arises in the COSE v0.0.1 entry implementation, where an empty 'spec.message' can lead to a panic on a thread within the Rekor process. The 'validate()' function incorrectly returns success when the message is empty, leaving the 'sign1Msg' uninitialized. Subsequently, the 'Canonicalize()' function dereferences 'v.sign1Msg.Payload', causing a panic. Although this issue disrupts a thread, it is recovered, and the client receives a 500 error, resulting in minimal impact on service availability.

Impact

Exploitation of this vulnerability causes a panic due to a nil pointer dereference, disrupting a thread within the Rekor process. However, the thread is recovered, and the client receives a 500 error, so the impact on service availability is minimal.

Reproduction

To reproduce this vulnerability, create a proposed entry of the COSE v0.0.1 type with an empty 'spec.message'. When this entry is validated and canonicalized, it will trigger a panic due to the nil pointer dereference.

Remediation

Upgrade to Rekor version 1.5.0, which addresses the vulnerability by implementing proper validation and handling of the 'spec.message' input.