CVE-2021-27923
📋 TL;DR
This vulnerability in Pillow (Python Imaging Library) allows attackers to cause denial of service through memory exhaustion by providing specially crafted ICO image files. The library fails to properly validate reported image sizes within ICO containers, leading to excessive memory allocation attempts. Any application using vulnerable Pillow versions to process ICO files is affected.
💻 Affected Systems
- Pillow (Python Imaging Library)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Pillow by Python
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, potentially causing system crashes or requiring restarts of affected applications.
Likely Case
Application crashes or hangs when processing malicious ICO files, leading to temporary service disruption.
If Mitigated
Minimal impact with proper input validation and memory limits in place, though processing may still fail.
🎯 Exploit Status
Creating malicious ICO files is straightforward. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.2 and later
Vendor Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
Restart Required: No
Instructions:
1. Update Pillow using pip: 'pip install --upgrade pillow>=8.1.2' 2. Verify installation with 'pip show pillow' 3. Restart any running Python applications using Pillow.
🔧 Temporary Workarounds
Disable ICO processing
allModify application code to reject or skip ICO file processing
# In Python code, add ICO format check before processing
if file_format == 'ICO':
raise ValueError('ICO processing disabled due to security concerns')
Implement memory limits
linuxUse resource limits or container constraints to prevent memory exhaustion
# For Linux systems with systemd
# Add to service file: MemoryMax=512M
# Or use ulimit: ulimit -v 524288
🧯 If You Can't Patch
- Implement strict file upload validation to reject ICO files
- Deploy memory monitoring and alerting for abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check Pillow version with: python -c "import PIL; print(PIL.__version__)" or pip show pillowCheck Version:
pip show pillow | grep VersionVerify Fix Applied:
Confirm version is 8.1.2 or higher: python -c "import PIL; print('VULNERABLE' if tuple(map(int, PIL.__version__.split('.'))) < (8,1,2) else 'PATCHED')"📡 Detection & Monitoring
Log Indicators:
- Memory allocation errors
- Process crashes when handling image files
- High memory usage spikes
Network Indicators:
- Uploads of ICO files to image processing endpoints
- Unusually large file uploads
SIEM Query:
source="application.logs" AND ("MemoryError" OR "out of memory" OR "ICO")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
- https://security.gentoo.org/glsa/202107-33
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://security.gentoo.org/glsa/202107-33
