Bug 2241722 (CVE-2023-43642)

Summary: CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, avibelli, bbuckingham, bcourt, bgeorges, chazlett, clement.escoffier, dandread, dfreiber, dkreling, dsimansk, ehelms, gmalinko, gsmet, hhorak, janstey, jburrell, jcantril, jmartisk, jorton, jsherril, lball, lthon, lzap, matzew, max.andersen, mhulan, mizdebsk, mosmerov, nmoumoul, orabin, pcreech, peholase, pgallagh, pjindal, probinso, rchan, rhuss, rogbas, rruss, rsvoboda, sbiarozk, tqvarnst, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: snappy-java 1.1.10.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2242070    
Bug Blocks: 2241720    

Description Borja Tarraso 2023-10-02 10:07:19 UTC 
snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.

While performing mitigation efforts related to CVE-2023-34455 in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in this commit. The check on line 421 only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually attempting to allocate the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.
Comment 5 errata-xmlrpc 2023-11-30 11:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.9

Via RHSA-2023:7612 https://access.redhat.com/errata/RHSA-2023:7612
Comment 6 errata-xmlrpc 2023-12-07 14:26:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
Comment 9 errata-xmlrpc 2024-05-30 20:25:24 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
Comment 11 errata-xmlrpc 2025-03-07 11:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.2

Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536