OpenSearch Denial-of-Service Vulnerability via Complex Query Strings

A denial-of-service vulnerability has been identified in OpenSearch versions prior to 3.2.0. This issue allows attackers to exhaust CPU and memory resources by submitting intricate query string inputs that create deeply nested boolean structures. While OpenSearch imposes a per-node limit on boolean clauses, there is no overall restriction on the total number of query nodes or the expansion within non-boolean queries. Exploitation of this vulnerability can lead to significant resource depletion, causing the server to crash.

Impact

Exploitation of this vulnerability leads to asymmetric denial-of-service, where the server becomes unresponsive due to excessive resource consumption, particularly CPU and memory.

Reproduction

The vulnerability can be reproduced by sending a search request with a query string that includes repeated patterns of 'winAd' combined with 'rises' or 'rising'. This input should be crafted to create a query tree that is heavily nested but keeps each boolean node within the allowed clause limit. The resulting query will consume large amounts of CPU and memory, eventually causing the OpenSearch server to crash.

Remediation

Users can upgrade to OpenSearch version 3.3.0 or later, where this vulnerability has been patched.