Bio-Formats Untrusted Deserialization Vulnerability in Memoizer Cache Files
Vulnerability
A vulnerability exists in Bio-Formats versions through 8.3.0, where unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) occurs during image processing. The loci.formats.Memoizer class automatically loads and deserializes these memo files without any validation or integrity checks. This flaw allows an attacker to supply a crafted .bfmemo file, triggering the deserialization of untrusted data. The consequences can include denial-of-service, manipulation of application logic, or potentially remote code execution, especially in environments where suitable gadget chains are available on the classpath.
Impact
Exploitation of this vulnerability can lead to untrusted data being deserialized, causing repeated parsing failures that disrupt normal operations (denial-of-service), influencing how the application discovers and loads classes, or in some cases, allowing remote code execution if the right conditions are met.
Reproduction
To reproduce this vulnerability, first create a valid TIFF image and generate a legitimate memo file associated with it. This memo file will be automatically loaded by the Bio-Formats application. Next, corrupt the memo file by appending arbitrary data, such as 400 bytes of garbage, which simulates an attack by introducing untrusted data into the deserialization process. After corrupting the memo file, load the associated TIFF image with the Bio-Formats application. The corruption will cause a parsing failure, demonstrating how the vulnerability can be exploited.