OpenBao Denial-of-Service Vulnerability via Malicious JSON Payloads

A denial-of-service vulnerability has been identified in OpenBao, an open-source identity-based secrets management system, in versions prior to 2.4.1. The issue arises because JSON objects, once decoded, can consume significantly more memory than their serialized counterparts. This vulnerability allows an attacker to craft a JSON payload that maximizes the disparity between serialized and deserialized memory usage, akin to a zip bomb, with factors reaching approximately 35. Exploiting this vulnerability can bypass the 'max_request_size' configuration, which is designed to mitigate denial-of-service attacks. The request body is processed into a map early in the request handling sequence, before authentication, enabling an unauthenticated attacker to send a specially crafted JSON object that causes an out-of-memory crash. Furthermore, for requests containing large quantities of strings, the audit subsystem can use excessive CPU resources.

Impact

Exploitation of this vulnerability leads to an out-of-memory crash, causing a denial-of-service condition. Additionally, the audit subsystem can be overwhelmed, consuming large amounts of CPU resources.

Reproduction

To reproduce this vulnerability, send a JSON payload that is carefully crafted to exploit the application's JSON parsing logic. The payload should be designed to use a high ratio of memory when deserialized compared to its size when serialized, effectively bypassing the 'max_request_size' limit. This can be done by creating a JSON structure that includes a large number of nested objects or arrays, as these configurations can significantly increase memory usage after decoding. Once the payload is sent, the application will likely crash due to running out of available memory.

Remediation

Users can update to OpenBao version 2.4.1 or later, where this vulnerability has been fixed. Additionally, for versions 2.4.1 and above, it is recommended to configure the 'max_request_json_complexity' option in the listener stanza to limit the number of JSON tokens allowed in request bodies, preventing similar denial-of-service attacks.