Bug 2274109 (CVE-2024-3508) - CVE-2024-3508 bzip2: Compressed Content Bomb Leads to Denial of Service of Bombastic API
Summary: CVE-2024-3508 bzip2: Compressed Content Bomb Leads to Denial of Service of Bo...
Keywords:
Status: NEW
Alias: CVE-2024-3508
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2274110 2274111
Blocks: 2274108
TreeView+ depends on / blocked
 
Reported: 2024-04-09 07:53 UTC by Rohit Keshri
Modified: 2024-04-11 14:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-04-09 07:53:33 UTC 
Bombastic allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON, to perform this verification the uploaded file must first be decompressed.

The decompression of malicious bzip2-compressed JSON can cause memory exhaustion: a 69 Kb bzip2 compressed file can be uncompressed to the order of 100 Gb. This causes the pod to become unresponsive and quickly leads to its eviction by OpenShift. A new pod is then re-deployed in lieu of the evicted one.

Note: malicious JSON compressed with zstd do not seem to be affected by this attack.
Comment 1 Rohit Keshri 2024-04-09 07:55:01 UTC 
Created bzip2 tracking bugs for this issue:

Affects: fedora-all [bug 2274110]


Created mingw-bzip2 tracking bugs for this issue:

Affects: fedora-all [bug 2274111]
Note You need to log in before you can comment on or make changes to this bug.