REDHAT-BUG-2274109: Medium severity Bombastic Bombastic vulnerability
Bombastic allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON, to perform this verification the uploaded file must first be decompressed.
The decompression of malicious bzip2-compressed JSON can cause memory exhaustion: a 69 Kb bzip2 compressed file can be uncompressed to the order of 100 Gb. This causes the pod to become unresponsive and quickly leads to its eviction by OpenShift. A new pod is then re-deployed in lieu of the evicted one.
Note: malicious JSON compressed with zstd do not seem to be affected by this attack.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2274109?
The severity of REDHAT-BUG-2274109 is classified as high due to the potential for arbitrary code execution through malicious file uploads.
How do I fix REDHAT-BUG-2274109?
Fix REDHAT-BUG-2274109 by updating to the latest version of Bombastic or applying the recommended security patches provided by Red Hat.
Who is affected by REDHAT-BUG-2274109?
Users of Bombastic and OpenShift software are affected by REDHAT-BUG-2274109.
What type of files can be uploaded that exploit REDHAT-BUG-2274109?
The exploit involves uploading malicious bzip2-compressed JSON files via the API endpoint.
What potential impact does REDHAT-BUG-2274109 have on systems?
The potential impact of REDHAT-BUG-2274109 includes remote code execution and compromise of the affected system.