OpenID Connect client Atom Exhaustion in provider configuration worker ets table location

Impact

DOS by Atom exhaustion is possible by calling oidcc_provider_configuration_worker:get_provider_configuration/1 or oidcc_provider_configuration_worker:get_jwks/1.

Since the name is usually provided as a static value in the application using oidcc, this is unlikely to be exploited.

Details

Example to illustrate the vulnerability.

{ok, Claims} =
  oidcc:retrieve_userinfo(
    Token,
    myapp_oidcc_config_provider,
    <<"client_id">>,
    <<"client_secret">>,
    #{}
  )

The vulnerability is present in oidcc_provider_configuration_worker:get_ets_table_name/1.
The function get_ets_table_name is calling erlang:list_to_atom/1.

https://github.com/erlef/oidcc/blob/018dbb53dd752cb1e331637d8e0e6a489ba1fae9/src/oidcc_provider_configuration_worker.erl#L385-L388

There might be a case (Very highly improbable) where the 2nd argument of
oidcc_provider_configuration_worker:get_*/1 is called with a different atom each time which eventually leads to
the atom table filling up and the node crashing.

Patches

Patched in 3.0.2, 3.1.2 & 3.2.0-beta.3

Workarounds

Make sure only valid provider configuration worker names are passed to the functions.

References

https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/atom_exhaustion.html

References

maennchen published to erlef/oidcc Apr 3, 2024

Published to the GitHub Advisory Database Apr 3, 2024

Reviewed Apr 3, 2024

Published by the National Vulnerability Database Apr 4, 2024

Last updated Apr 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Details

Patches

Workarounds

References

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits