CVE-2021-27921
📋 TL;DR
This vulnerability in Pillow (Python Imaging Library) allows attackers to cause denial of service through memory exhaustion by exploiting improper size validation of BLP image containers. Attackers can craft malicious BLP files that trigger excessive memory allocation, potentially crashing affected applications. This affects any system using vulnerable versions of Pillow to process BLP image files.
💻 Affected Systems
- Pillow (Python Imaging Library)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Pillow by Python
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially leading to system instability or crashes across multiple services using Pillow.
Likely Case
Application crashes or degraded performance when processing malicious BLP files, affecting image processing functionality.
If Mitigated
Minimal impact with proper input validation, memory limits, and updated Pillow versions preventing successful exploitation.
🎯 Exploit Status
Exploitation requires supplying a malicious BLP file to vulnerable Pillow instances. No authentication needed if file upload/processing is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.2 and later
Vendor Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
Restart Required: No
Instructions:
1. Update Pillow using pip: 'pip install --upgrade pillow>=8.1.2' 2. Verify installation: 'pip show pillow' should show version 8.1.2 or higher 3. Test BLP file processing functionality
🔧 Temporary Workarounds
Disable BLP file processing
allConfigure applications to reject or skip BLP image format processing
# Application-specific configuration required
Implement memory limits
linuxSet memory limits on processes using Pillow to contain potential memory exhaustion
ulimit -v [memory_limit_in_kb] # Linux example
docker run --memory=[limit] # Container example
🧯 If You Can't Patch
- Implement strict file type validation to reject BLP files at application boundaries
- Deploy memory monitoring and alerting for processes using Pillow to detect potential exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Pillow version: 'python -c "import PIL; print(PIL.__version__)"' and compare to 8.1.2Check Version:
python -c "import PIL; print('Pillow version:', PIL.__version__)"Verify Fix Applied:
Confirm version is 8.1.2 or higher and test processing of legitimate BLP files📡 Detection & Monitoring
Log Indicators:
- Memory allocation errors
- Process crashes when handling image files
- Unusually large memory consumption by Python processes
Network Indicators:
- Uploads of BLP files to web applications
- File transfers containing .blp extensions
SIEM Query:
source="application_logs" AND ("memory allocation failed" OR "Pillow" OR "BLP") AND event_type="error"🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
- https://security.gentoo.org/glsa/202107-33
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://security.gentoo.org/glsa/202107-33
