CVE-2024-25710 - An In-Depth Look at the Infinite Loop Vulnerability in Apache Commons Compress (version 1.3 to 1.25.)

In this long-read post, we will dig deep into one of the critical vulnerabilities discovered in the widely used Apache Commons Compress library. This vulnerability is recorded as CVE-2024-25710 in the Common Vulnerabilities and Exposures (CVE) system and is found in versions 1.3 to 1.25. of the library. Before we proceed to the actual code snippet and exploit details, we'll provide a brief overview of Apache Commons Compress and its usage.

About Apache Commons Compress

Apache Commons Compress is an open-source Java library that provides developers with classes and tools to manipulate various archive formats, including ZIP, 7z, AR, ARJ, BZIP2, CPIO, GZIP, and many others. The library is part of the larger Apache Commons project, aiming to offer reusable Java components.

You can find more information about Apache Commons Compress at the following link

https://commons.apache.org/proper/commons-compress/

CVE-2024-25710 Vulnerability Overview

The vulnerability in question is of the "Infinite Loop" type, where a loop with an unreachable exit condition exists in the code. As a result, the program could enter an infinite loop, causing a potential Denial of Service (DoS) attack and rendering the application unusable until terminated.

Exploit Details

The vulnerability exists in the method readFilename of the ZipEncoding interface, which is responsible for reading filenames when decoding ZIP entries.

Here's a code snippet from the affected method

public String readFilename(byte[] data) throws IOException {
    StringBuilder result = new StringBuilder(data.length * 2);
    
    // Offset variable for loop
    int offset = ;
    
    while(offset < data.length) {
        ...
        // Updated offset value after decoding
        offset += count;
    }
    
    return result.toString();
}

In the above snippet, the readFilename method reads and decodes the filename bytes available in the 'data' variable. It uses a loop with the 'offset' variable to iterate through the byte array. However, an issue exists in the loop's exit condition.

The offset variable is updated with the count value after each iteration during which the filename bytes are decoded. But in some cases, the count value could be zero due to malformed input data or other issues. This would cause the loop to iterate indefinitely, as the 'offset' value would never reach the 'data.length' value, and the loop exit condition (offset < data.length) would not be met.

Following are the relevant links for more information on this vulnerability

1. Apache Commons Compress - Loop with Unreachable Exit Condition: https://www.apache.org/dist/commons/compress/changes-report.html#a1.26.
2. CVE-2024-25710 - Infinite Loop Vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25710

Solution

Users are recommended to upgrade to Apache Commons Compress version 1.26., where the vulnerability has been fixed. The updated library is available at:

https://commons.apache.org/proper/commons-compress/download_compress.cgi

Conclusion

It is essential to ensure that all software components and libraries are up to date to reduce the risk of vulnerabilities like CVE-2024-25710. In this long-read post, we covered the details of the infinite loop vulnerability in Apache Commons Compress and shared links to original references. Please remember to update your libraries to the latest version and stay vigilant of such vulnerabilities to maintain your applications' security and performance.

Timeline

Published on: 02/19/2024 09:15:37 UTC
Last modified on: 03/07/2024 17:15:12 UTC