CVE-2022-26477: Denial of service in readExternal method

First published: Mon Jun 27 2022(Updated: )

The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a "low-priority but useful improvement". SystemDS is a distributed system and needs to serialize/deserialize data but in many code paths (e.g., on Spark broadcast/shuffle or writing to sequence files) the byte stream is anyway protected by additional CRC fingerprints. In this particular case though, the number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. By adding these checks robustness was strictly improved with almost zero overhead. These code changes are available in versions higher than 2.2.1.

Credit: security@apache.org security@apache.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• collector/mitre-cve
• source/MITRE
• agent/weakness
• agent/description
• agent/title
• agent/first-publish-date
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-m43h-hfrq-x8wx
• alias/CVE-2022-26477
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/severity
• agent/references
• agent/event
• agent/softwarecombine
• collector/nvd-cve
• source/NVD
• agent/author
• collector/github-advisory
• agent/trending
• agent/tags
• agent/source
• vendor/apache
• canonical/apache systemds
• version/apache systemds/2.2.1
• package-manager/pip
• package-manager/maven