Bombastic allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON, to perform this verification the uploaded file must first be decompressed. The decompression of malicious bzip2-compressed JSON can cause memory exhaustion: a 69 Kb bzip2 compressed file can be uncompressed to the order of 100 Gb. This causes the pod to become unresponsive and quickly leads to its eviction by OpenShift. A new pod is then re-deployed in lieu of the evicted one. Note: malicious JSON compressed with zstd do not seem to be affected by this attack.
Created bzip2 tracking bugs for this issue: Affects: fedora-all [bug 2274110] Created mingw-bzip2 tracking bugs for this issue: Affects: fedora-all [bug 2274111]