Security vulnerability: Snappy decompressor can be made to crash JVM #183
Comments
Details:
- Nippy will continue to support thawing OLD data that was originally compressed with Snappy.
- But Nippy will no longer support freezing NEW data with Snappy.
Motivation:
- The current Snappy implementation can cause JVM crashes in some cases [1].
- The only alternative JVM implementation that seems to be safe [2] uses JNI and
so would introduce possible incompatibility issues even for folks not using Snappy.
- Nippy already moved to the superior LZ4 as its default compression scheme in v2.7.0,
more than 9 years ago.
[1] Ref. <airlift/aircompressor#183>
[2] Ref. <https://github.com/xerial/snappy-java>
|
Relates to trinodb/trino#20566 I assume it might be the same issue you have found, but in case you have data which reproduces your crash and the maintainers notice this GitHub issue here, it might be good to share it with them as well just to make sure nothing is overlooked. |
|
Thanks for the report. I'm unable to reproduce the issue based on the steps listed above, even after more than 100 million runs. Are you able to capture and provide a the contents of the array that's causing the crash? That will it easier to diagnose and fix the problem. |
|
@martint Hi Martin, thanks for the response. I'll follow up with the email address on your GitHub profile 👍 |
|
@martint Thanks for enabling private vulnerability reporting, I've also submitted a draft report there with more details and a reproducible example. Would suggest adding @Marcono1234 as a collaborator there (and/or me to their report if appropriate) so that we can better coordinate efforts. |
|
This fixed in release 0.26, which should be available in Maven Central shortly |
Upstream safety issue has been resolved, Ref. <airlift/aircompressor#183>.
Upstream safety issue has been resolved, Ref. <airlift/aircompressor#183>.
Upstream safety issue has been resolved, Ref. <airlift/aircompressor#183>.
Hi there!
I've tried to reach out privately a couple times without success.
Am opening a public report here now since:
I really do appreciate all the hard work on this terrific library, and realise that the maintainers might have many priorities to juggle!
Will end the report with some tiered suggestions from low->high effort.
Thanks for reading!
Vulnerability
io.airlift.compress.snappy.SnappyDecompressoris able to crash the JVM given malicious or malformed input.This is reproducible with at least:
Steps to reproduce
io.airlift.compress.snappy.SnappyDecompressorto try to decompress the random data, trapping exceptions.I.e. it seems that certain patterns of random data will cause
io.airlift.compress.snappy.SnappyDecompressorto crash the JVM.This issue seems to affect only the Snappy decompressor. Zstd, LZ4, LZO, and LZMA2 all seem to be fine under the same test.
Additional context
Implications
Users of aircompressor (directly or transitively) MAY be vulnerable to JVM crashes IF BOTH:
io.airlift.compress.snappy.SnappyDecompressoris not guaranteed be valid (e.g. via verified HMAC or other means).There's at least 3 relevant scenarios that come to mind:
Mitigations for users
I believe that either of the following should help:
Don't use aircompressor for Snappy decompression.
a. Use Zstd, LZ4, LZO, and LZMA2 instead - these all seem to be safe.
b. Use https://github.com/xerial/snappy-java instead - it appears to be safe.
Use some mechanism for ensuring that no decompression attempts are made against unverified (esp. arbitrary user-controlled) data.
Suggested action
Some ideas sorted from low->high effort include:
SECURITY.mdand info re: process for vulnerability disclosure #176.Again, my sincere thanks for all the hard work on aircompressor - it's a wonderful tool and a generous thing to make available as open source.
The text was updated successfully, but these errors were encountered: