Oxia Metadata Store and Coordination System Denial-of-Service Vulnerability via Session Heartbeat Race Condition

A denial-of-service vulnerability has been identified in Oxia, a metadata store and coordination system, in versions prior to 0.16.2. The issue arises from a race condition between the processing of session heartbeat signals and the closure of sessions, which can cause the server to crash with a 'send on closed channel' error. This vulnerability allows a remote client to trigger a server panic by sending rapid 'KeepAlive' requests while a session is being closed or is expiring. The problem is rooted in the 'heartbeat()' method, which uses a blocking channel send while holding a mutex. Under certain timing conditions with concurrent 'close()' calls, this can result in either a deadlock, when the channel buffer is full, or a panic, due to sending on a closed channel after a time-of-check-to-time-of-use gap in the 'KeepAlive' process.

Impact

Exploitation of this vulnerability leads to a server crash, causing the entire data server process to terminate unexpectedly.

Reproduction

To reproduce this vulnerability, initiate a session and then send rapid 'KeepAlive' requests while the session is expiring or being closed. This can be done by manually triggering the session closure process and simultaneously sending 'KeepAlive' signals, taking advantage of the timing to create a race condition that causes the server to panic.

Remediation

Users can upgrade to Oxia version 0.16.2 or later, where this vulnerability has been fixed.