Bug 2241722 (CVE-2023-43642) - CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact
Summary: CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snap...
Keywords:
Status: NEW
Alias: CVE-2023-43642
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2242070
Blocks: 2241720
TreeView+ depends on / blocked
 
Reported: 2023-10-02 10:07 UTC by Borja Tarraso
Modified: 2025-05-06 08:29 UTC (History)
45 users (show)

Fixed In Version: snappy-java 1.1.10.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7612 0 None None None 2023-11-30 11:37:02 UTC
Red Hat Product Errata RHSA-2023:7700 0 None None None 2023-12-07 14:26:52 UTC
Red Hat Product Errata RHSA-2024:3527 0 None None None 2024-05-30 20:25:27 UTC
Red Hat Product Errata RHSA-2024:6536 0 None None None 2025-03-07 11:29:23 UTC

Description Borja Tarraso 2023-10-02 10:07:19 UTC 
snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.

While performing mitigation efforts related to CVE-2023-34455 in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in this commit. The check on line 421 only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually attempting to allocate the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.
Comment 5 errata-xmlrpc 2023-11-30 11:36:58 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.9

Via RHSA-2023:7612 https://access.redhat.com/errata/RHSA-2023:7612
Comment 6 errata-xmlrpc 2023-12-07 14:26:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
Comment 9 errata-xmlrpc 2024-05-30 20:25:24 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.7.0

Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
Comment 11 errata-xmlrpc 2025-03-07 11:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.2

Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536
Note You need to log in before you can comment on or make changes to this bug.