Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Weakness
The product does not properly control the allocation and maintenance of a limited resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pillow | Python | 10.3.0 (including) | 12.2.0 (excluding) |
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | RedHat | python3.12-pillow-0:12.2.0-1.el8ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | RedHat | python3.12-pillow-0:12.2.0-1.el9ap | * |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | python3.12-pillow-0:12.2.0-1.el9ap | * |
| Red Hat Satellite 6.16 for RHEL 8 | RedHat | python-pillow-0:12.2.0-1.el8pc | * |
| Red Hat Satellite 6.16 for RHEL 8 | RedHat | python-pillow-0:12.2.0-1.el8pc | * |
| Red Hat Satellite 6.16 for RHEL 9 | RedHat | python-pillow-0:12.2.0-1.el9pc | * |
| Red Hat Satellite 6.16 for RHEL 9 | RedHat | python-pillow-0:12.2.0-1.el9pc | * |
| Red Hat AI Inference Server 3.3 | RedHat | rhaiis/model-opt-cuda-rhel9:1778244559 | * |
| Red Hat AI Inference Server 3.3 | RedHat | rhaiis/vllm-rocm-rhel9:1778244531 | * |
| Red Hat AI Inference Server 3.3 | RedHat | rhaiis/vllm-cuda-rhel9:1778274666 | * |
| Red Hat AI Inference Server 3.3 | RedHat | rhaiis/vllm-spyre-rhel9:1778244546 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/hub-rhel9:1779761061 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/lightspeed-chatbot-rhel9:1780102732 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/disk-image-cuda-rhel9:1778690639 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/bootc-aws-cuda-rhel9:1778677633 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/bootc-azure-cuda-rhel9:1778677632 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/bootc-azure-rocm-rhel9:1778677745 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/bootc-cuda-rhel9:1778666122 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/bootc-gcp-cuda-rhel9:1778677632 | * |
| Red Hat Enterprise Linux AI 3.3 | RedHat | rhelai3/bootc-rocm-rhel9:1778666124 | * |
| Red Hat OpenShift AI 2.25 | RedHat | rhoai/odh-caikit-tgis-serving-rhel9:1780388133 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:1778677779 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9:1778677692 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9:1778262893 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9:1778677701 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:1778677741 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1778677767 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-training-cuda128-torch29-py312-rhel9:1779123334 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-training-rocm64-torch29-py312-rhel9:1778263128 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9:1778782933 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9:1778677718 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9:1778677716 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9:1778263054 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9:1778677734 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:1778677667 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:1778677717 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9:1778677722 | * |
| Red Hat Quay 3.1 | RedHat | quay/quay-rhel8:1779822261 | * |
| Red Hat Quay 3.12 | RedHat | quay/quay-rhel8:1779811412 | * |
| Red Hat Quay 3.14 | RedHat | quay/quay-rhel8:1779689392 | * |
| Red Hat Quay 3.15 | RedHat | quay/quay-rhel8:1780891395 | * |
| Red Hat Quay 3.16 | RedHat | quay/quay-rhel9:1779204086 | * |
| Red Hat Quay 3.17 | RedHat | quay/quay-rhel9:1779922205 | * |
| Red Hat Quay 3.9 | RedHat | quay/quay-rhel8:1779811473 | * |
| Pillow | Ubuntu | devel | * |
| Pillow | Ubuntu | questing | * |
| Pillow | Ubuntu | resolute | * |
| Pillow | Ubuntu | upstream | * |
Potential Mitigations
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/147.html
- https://cwe.mitre.org/data/definitions/227.html
- https://cwe.mitre.org/data/definitions/492.html
References
- https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
- https://github.com/python-pillow/Pillow/pull/9521
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j
- https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb