CVE-2021-23437 – This vulnerability in Pillow (Python Imaging Li... (How to Fix)

Q: What is the severity of CVE-2021-23437?

CVE-2021-23437 has a CVSS score of 7.5 (HIGH). This vulnerability in Pillow (Python Imaging Library) allows attackers to cause Denial of Service (DoS) through a Regular Expression Denial of Service (ReDoS) attack via the getrgb function. The vulnerability affects applications that process untrusted image data using vulnerable Pillow versions. Systems using Pillow for image processing in web applications, APIs, or file upload features are at risk.

📋 TL;DR

This vulnerability in Pillow (Python Imaging Library) allows attackers to cause Denial of Service (DoS) through a Regular Expression Denial of Service (ReDoS) attack via the getrgb function. The vulnerability affects applications that process untrusted image data using vulnerable Pillow versions. Systems using Pillow for image processing in web applications, APIs, or file upload features are at risk.

💻 Affected Systems

Products:

Pillow (Python Imaging Library)

Versions: 5.2.0 and all versions before 8.3.2

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Pillow's getrgb function with untrusted input is vulnerable. This includes web applications processing user-uploaded images, image processing services, and any Python code that calls getrgb() on external data.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, causing application crashes or severe performance degradation that affects all users.

🟠

Likely Case

Degraded performance or temporary service disruption for specific endpoints processing malicious image data, potentially affecting availability for legitimate users.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block ReDoS attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a widely used library and ReDoS attacks are well-understood. Attackers can craft malicious image data or color strings to trigger pathological regex processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.2 and later

Vendor Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Restart Required: Yes

Instructions:

1. Update Pillow using pip: 'pip install --upgrade pillow>=8.3.2' 2. Verify the update with 'pip show pillow' 3. Restart any services or applications using Pillow 4. Test image processing functionality

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for image data and color strings before passing to getrgb function

Rate Limiting and Timeouts

all

Implement request rate limiting and processing timeouts for image processing endpoints

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to detect and block ReDoS patterns in image data
Isolate image processing to separate containers or servers with resource limits to prevent system-wide impact

🔍 How to Verify

Check if Vulnerable:

Check Pillow version with: python -c "import PIL; print(PIL.__version__)" or pip show pillow

Check Version:

python -c "import PIL; print('Pillow version:', PIL.__version__)"

Verify Fix Applied:

Confirm version is 8.3.2 or higher: python -c "import PIL; print(PIL.__version__ >= '8.3.2')"

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for image operations
High CPU usage spikes from Python processes
Repeated failed image processing requests

Network Indicators:

Multiple requests with similar image data patterns
Unusually large or malformed image uploads

SIEM Query:

source="application.log" AND ("getrgb" OR "PIL" OR "Pillow") AND (duration>5s OR "timeout" OR "CPU spike")

📊 Metadata

CVE ID: CVE-2021-23437

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: September 3, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html Release Notes,Vendor Advisory
https://security.gentoo.org/glsa/202211-10 Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443 Exploit,Patch,Release Notes,Third Party Advisory
https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html Release Notes,Vendor Advisory
https://security.gentoo.org/glsa/202211-10 Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443 Exploit,Patch,Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23437, you might also want to check these: