Ericmj Decimal Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service
Vulnerability
A denial-of-service vulnerability has been identified in the Ericmj Decimal library, versions 0.1.0 prior to 3.0.0. This vulnerability allows unauthenticated remote attackers to cause uncontrolled resource consumption, leading to application crashes. The issue arises because the library does not impose limits on the exponent of parsed decimal values. For instance, a value like '1e1000000000' can be stored without any errors. However, when this value is used in arithmetic operations or certain formatting functions, it allocates memory in proportion to the exponent, potentially exhausting available resources and crashing the BEAM virtual machine. Any application that processes user-supplied decimal input and performs calculations or conversions with it is vulnerable. Notably, a single malicious request can trigger this out-of-memory condition, causing the node to fail.
Impact
Exploitation of this vulnerability can lead to a significant increase in memory usage, causing the BEAM virtual machine to run out of available memory and crash. This behavior disrupts the application's normal operation, potentially causing downtime or service unavailability.
Reproduction
The vulnerability can be reproduced by parsing a decimal string with a large exponent using the 'Decimal.new', 'Decimal.parse', or 'Decimal.cast' functions. After storing the decimal, any of the following actions will exploit the vulnerability: 1. Use 'Decimal.add', 'Decimal.sub', or 'Decimal.div' to perform arithmetic operations, which will trigger the memory allocation issue. 2. Convert the decimal to a string using 'Decimal.to_string' with the ':normal' or ':xsd' formats, which also expands the output proportional to the exponent. 3. Use 'Decimal.to_integer', 'Decimal.round', or 'Decimal.compare' with a threshold, all of which recursively process the exponent and can lead to the out-of-memory condition.
Remediation
The vulnerability has been patched in Decimal version 3.0.0. Users should upgrade to this version to mitigate the issue.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.