CWE

Improper Handling of Highly Compressed Data (Data Amplification)

ID: 409		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Base

Description

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Extended Description

An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design
• Implementation

Common Consequences

Scope	Technical Impact	Notes
Availability	DoS: amplification DoS: crash / exit / restart DoS: resource consumption (CPU) DoS: resource consumption (memory)	System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWE	Type	View	Chain
CWE-409 ChildOf CWE-907	Category	CWE-888

Demonstrative Examples   (Details)

1. The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected. (Demonstrative Example Id DX-53)

Observed Examples

1. CVE-2009-1955 : XML bomb in web server module
2. CVE-2003-1564 : Parsing library allows XML bomb

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Data Amplification
CERT Java Secure Coding	IDS04-J	Limit the size of files passed to ZipInputStream

References:
None