Researchers at Oligo have discovered six security vulnerabilities in Ollama AI Framework. Ollama is a popular open-source tool that allows users to run AI models locally on their own computers or corporate hardware. This is a critical issue because Ollama is widely-used by both individuals and companies, with over 93,000 stars on GitHub.
The research team discovered six different flaws. Out of the six, four received an official security threat label (CVEs) and were patched in a recent update. The remaining two are being disputed between the researchers and Ollama maintainers, making them shadow vulnerabilities.
The six vulnerabilities include:
- CVE-2024-39719 (CVSS score: 7.5) – A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the server (Fixed in version 0.1.47)
- CVE-2024-39720 (CVSS score: 8.2) – An out-of-bounds read vulnerability that could cause the application to crash by means of the /api/create endpoint, resulting in a DoS condition (Fixed in version 0.1.46)
- CVE-2024-39721 (CVSS score: 7.5) – A vulnerability that causes resource exhaustion and ultimately a DoS when invoking the /api/create endpoint repeatedly when passing the file “/dev/random” as input (Fixed in version 0.1.34)
- CVE-2024-39722 (CVSS score: 7.5) – A path traversal vulnerability in the api/push endpoint that exposes the files existing on the server and the entire directory structure on which Ollama is deployed (Fixed in version 0.1.46)
- A vulnerability that could lead to model poisoning via the /api/pull endpoint from an untrusted source (No CVE identifier, Unpatched)
- A vulnerability that could lead to model theft via the /api/push endpoint to an untrusted target (No CVE identifier, Unpatched)
These security vulnerabilities could allow threat actors to carry out various types of attacks through simple HTTP requests. The potential dangers include denial-of-service (DOS), model poisoning, model theft, and more. Attackers could potentially cause this damage without needing sophisticated technical skills.
This vulnerability could potentially have a global impact. This is because researchers found nearly 10,000 Ollama systems connected to the internet, with many in countries like China, the United States, Germany, and South Korea. They estimate that about one in four of these systems might be vulnerable to these security issues. The response timeline published by Oligo shows that Ollama was quick to fix the vulnerability, in the same way they resolved the RCE vulnerability faced earlier this year.
Individuals and companies using Ollama are advised to update to the latest version (0.1.47) which fixes most of the vulnerabilities. Also, companies should ensure they deploy AI models with proper security measures put in place.