PowSyBl Polynomial Regular Expression Denial-of-Service Vulnerability in RegexCriterion
Vulnerability
A polynomial Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the PowSyBl IIDM Criteria library, specifically in versions 6.3.0 prior to 6.7.2. The vulnerability resides in the RegexCriterion class, which compiles and evaluates unvalidated, user-supplied regular expressions against the identifiers of Identifiable objects. This exploitation can lead to significant CPU exhaustion, particularly when applied to large network models or during extensive filtering operations.
Impact
Exploitation of this vulnerability causes considerable CPU exhaustion, leading to performance degradation, especially with larger input sizes or network models.
Reproduction
To reproduce this vulnerability, a regular expression that induces excessive backtracking, such as one matching a large number of characters, must be supplied to the RegexCriterion constructor. Additionally, the Identifiable object must return a long string that forces the regex engine to backtrack extensively. This can be done by creating a custom Identifiable implementation that returns a suitable ID when the getId() method is called.
Remediation
Users can upgrade to PowSyBl IIDM Criteria version 6.7.2 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.