CVE-2023-30551: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

Rekor, an open source software supply chain transparency log, prior to version 1.1.1 was found to be vulnerable to out of memory (OOM) conditions (CVE-2023-30551). The vulnerability was discovered through fuzzing with OSS-Fuzz and affects the verification of JAR files and parsing of APK files. The issue was disclosed in May 2023 and patched in version 1.1.1 (GitHub Advisory).

The vulnerability consists of two main issues: 1) Verification of JAR files could trigger an OOM crash if files within the META-INF directory were sufficiently large, as the relic library reads these files into memory without size checks. 2) Parsing of APK files could cause an OOM crash if the .SIGN or .PKGINFO files were sufficiently large, as byte slices were allocated based on unchecked tar header sizes. The vulnerability has been assigned a CVSS v3.1 score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability could lead to a Denial of Service (DoS) of Rekor services when processing maliciously crafted JAR or APK files. The impact is limited to availability, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Rekor version 1.1.1. The fix includes implementing size checks for archive metadata files before reading them into memory. There are no known workarounds; users should update to version 1.1.1 or later (GitHub Release).