Omni Resource Service Unauthenticated Nil Pointer Dereference Vulnerability Leading to Denial-of-Service

A nil pointer dereference vulnerability has been identified in the Omni Resource Service, affecting versions prior to 1.1.5 and 1.0.2. This vulnerability allows unauthenticated users to cause a server panic and disrupt service by sending empty resource creation or update requests through the API. The issue arises in the 'isSensitiveSpec' function, which calls 'grpcomni.CreateResource' without verifying if the resource's metadata is nil. When a resource is submitted with an empty metadata field, the 'CreateResource' function tries to access 'resource.Metadata.Version', resulting in a segmentation fault and crashing the server.

Impact

Exploitation of this vulnerability leads to a complete crash of the API server, causing a denial-of-service condition that requires a manual restart, unless an automatic restart policy is in place.

Reproduction

The vulnerability can be reproduced by sending empty JSON objects to the 'Create' and 'Update' endpoints of the Resource Service API. This can be done using curl or similar tools that allow HTTP requests.

Remediation

The vulnerability has been patched in Omni versions 1.1.5 and 1.0.2. Users should upgrade to these versions.