Skip to content

Atom Exhaustion in provider configuration worker ets table location

Moderate
maennchen published GHSA-mj35-2rgf-cv8p Apr 3, 2024

Package

erlang oidcc (Erlang)

Affected versions

>= 3.0.0

Patched versions

3.0.2, 3.1.2, 3.2.0-beta.3

Description

Impact

DOS by Atom exhaustion is possible by calling oidcc_provider_configuration_worker:get_provider_configuration/1 or oidcc_provider_configuration_worker:get_jwks/1.

Since the name is usually provided as a static value in the application using oidcc, this is unlikely to be exploited.

Details

Example to illustrate the vulnerability.

{ok, Claims} =
  oidcc:retrieve_userinfo(
    Token,
    myapp_oidcc_config_provider,
    <<"client_id">>,
    <<"client_secret">>,
    #{}
  )

The vulnerability is present in oidcc_provider_configuration_worker:get_ets_table_name/1.
The function get_ets_table_name is calling erlang:list_to_atom/1.

oidcc/src/oidcc_provider_configuration_worker.erl

Lines 385 to 388 in 018dbb5

get_ets_table_name(WorkerName) when is_atom(WorkerName) ->
{ok, erlang:list_to_atom(erlang:atom_to_list(WorkerName) ++ "_table")};
get_ets_table_name(_Ref) ->
error.

There might be a case (Very highly improbable) where the 2nd argument of
oidcc_provider_configuration_worker:get_*/1 is called with a different atom each time which eventually leads to
the atom table filling up and the node crashing.

Patches

Patched in 3.0.2, 3.1.2 & 3.2.0-beta.3

Workarounds

Make sure only valid provider configuration worker names are passed to the functions.

References

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H

CVE ID

CVE-2024-31209

Weaknesses

Credits