Bug 2215445 (CVE-2023-34455) - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
Summary: CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
Keywords:
Status: NEW
Alias: CVE-2023-34455
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2215448 2215449 2216107
Blocks: 2215395
TreeView+ depends on / blocked
 
Reported: 2023-06-16 04:10 UTC by Sandipan Roy
Modified: 2025-09-03 08:28 UTC (History)
76 users (show)

Fixed In Version: snappy-java 1.1.10.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5147 0 None None None 2023-09-13 15:40:15 UTC
Red Hat Product Errata RHSA-2023:5148 0 None None None 2023-09-13 16:10:04 UTC
Red Hat Product Errata RHSA-2023:5165 0 None None None 2023-09-14 09:51:51 UTC
Red Hat Product Errata RHSA-2023:7653 0 None None None 2023-12-05 14:36:42 UTC
Red Hat Product Errata RHSA-2023:7700 0 None None None 2023-12-07 14:26:47 UTC
Red Hat Product Errata RHSA-2023:7705 0 None None None 2023-12-07 15:32:52 UTC
Red Hat Product Errata RHSA-2024:0148 0 None None None 2024-01-10 13:30:30 UTC
Red Hat Product Errata RHSA-2024:6536 0 None None None 2025-03-07 11:29:24 UTC
Red Hat Product Errata RHSA-2024:6893 0 None None None 2024-09-19 18:12:17 UTC

Description Sandipan Roy 2023-06-16 04:10:26 UTC 
CVE-2023-34455 (https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh):

The code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.

In the case that the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the `chunkSize` variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error.
Comment 9 errata-xmlrpc 2023-09-13 15:40:11 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.2

Via RHSA-2023:5147 https://access.redhat.com/errata/RHSA-2023:5147
Comment 10 errata-xmlrpc 2023-09-13 16:10:01 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.2

Via RHSA-2023:5148 https://access.redhat.com/errata/RHSA-2023:5148
Comment 11 errata-xmlrpc 2023-09-14 09:51:46 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.0

Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
Comment 14 errata-xmlrpc 2023-12-05 14:36:38 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.4 GA

Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653
Comment 15 errata-xmlrpc 2023-12-07 14:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
Comment 16 errata-xmlrpc 2023-12-07 15:32:47 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2023:7705 https://access.redhat.com/errata/RHSA-2023:7705
Comment 17 errata-xmlrpc 2024-01-10 13:30:26 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K 1.10.5

Via RHSA-2024:0148 https://access.redhat.com/errata/RHSA-2024:0148
Comment 21 errata-xmlrpc 2024-09-19 18:12:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2024:6893 https://access.redhat.com/errata/RHSA-2024:6893
Comment 22 errata-xmlrpc 2025-03-07 11:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.2

Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536
Note You need to log in before you can comment on or make changes to this bug.