lakeFS Authenticated Denial-of-Service Vulnerability via Memory Exhaustion

A denial-of-service vulnerability has been identified in lakeFS, an open-source tool that manages object storage like a Git repository. In versions prior to 1.50.0, an authenticated user can cause the server to crash by depleting its memory resources. This issue has been addressed in version 1.50.0. Users on versions 1.49.1 and below are vulnerable and are advised to upgrade. For those unable to upgrade, it's recommended to disable pre-signed multipart uploads by either setting the environment variable 'LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART' to 'true' or by configuring the 'disable_pre_signed_multipart' key to true in the application’s config YAML file.

Impact

Exploitation of this vulnerability leads to a crash of the lakeFS server, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by an authenticated user who sends a large number of pre-signed multipart upload requests to the lakeFS server, particularly when using an S3 backend. This can be automated with a load testing tool that generates random file upload requests, effectively overwhelming the server's memory capacity.

Remediation

Users should upgrade to lakeFS version 1.50.0 or later. Those on versions 1.49.1 and below who cannot upgrade should disable pre-signed multipart uploads by setting the 'LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART' environment variable to 'true' or by adding 'disable_pre_signed_multipart: true' in their config YAML file.