CVE-2024-31209 in oidccinfo

Summary

by MITRE • 04/04/2024

oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in version(s)`3.1.2` & `3.2.0-beta.3`.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/09/2024

The vulnerability identified as CVE-2024-31209 affects the oidcc OpenID Connect client library for Erlang, representing a significant denial of service threat that exploits atom exhaustion within the library's provider configuration mechanisms. This issue specifically targets two critical functions within the oidcc_provider_configuration_worker module, namely get_provider_configuration/1 and get_jwks/1, which when invoked with malicious input can trigger resource exhaustion conditions that compromise system availability. The flaw manifests as a direct consequence of improper handling of atom creation during the OpenID Connect provider configuration retrieval process, where the library fails to properly manage atom lifecycle and reuse patterns.

The technical implementation of this vulnerability stems from the Erlang runtime's atom table limitations, where each atom consumes memory and cannot be garbage collected, creating a persistent resource leak when atoms are repeatedly created without proper cleanup mechanisms. When the get_provider_configuration/1 or get_jwks/1 functions process malformed or excessively large provider configuration responses, they create numerous atoms during parsing and validation operations, leading to atom table exhaustion that ultimately results in system crashes or complete service unavailability. This behavior aligns with CWE-400, which categorizes improper handling of resource exhaustion conditions, and specifically demonstrates how atom management can become a critical system vulnerability in functional programming environments.

The operational impact of this vulnerability extends beyond simple service disruption, as it can be exploited remotely by attackers who craft malicious OpenID Connect provider responses or manipulate the configuration parameters passed to these functions. Systems relying on oidcc for authentication and authorization workflows become particularly vulnerable, as the denial of service can be triggered through legitimate authentication flows, making it difficult to distinguish between legitimate usage and malicious exploitation. The vulnerability affects any application that utilizes the oidcc library for OpenID Connect client functionality, potentially compromising authentication infrastructure across various enterprise environments and cloud deployments.

Mitigation strategies for this vulnerability require immediate patching to versions 3.1.2 or 3.2.0-beta.3, which contain the necessary fixes to prevent atom exhaustion during provider configuration processing. Organizations should also implement monitoring for unusual atom table usage patterns and consider rate limiting or input validation for provider configuration endpoints to prevent exploitation. From an ATT&CK framework perspective, this vulnerability maps to T1499.004 which covers network denial of service attacks, and represents a specific implementation weakness in the application layer that could be leveraged as part of broader attack campaigns targeting authentication infrastructure. Additionally, system administrators should conduct thorough testing of patched versions to ensure no regressions in functionality while maintaining proper resource monitoring to detect potential exploitation attempts.

Responsible

GitHub, Inc.

Reservation

03/29/2024

Disclosure

04/04/2024

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!