Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: update dependency org.xerial.snappy:snappy-java to v1.1.10.4 [security] #1742

Merged
merged 1 commit into from
Sep 27, 2023
Merged

deps: update dependency org.xerial.snappy:snappy-java to v1.1.10.4 [security] #1742

merged 1 commit into from
Sep 27, 2023

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Sep 25, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.xerial.snappy:snappy-java 1.1.10.3 -> 1.1.10.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-43642

Summary

snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.

Scope

All versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4

Details

While performing mitigation efforts related to CVE-2023-34455 in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in this commit. The check on line 421 only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually attempting to allocate the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.

PoC

Compile and run the following code:

package org.example;
import org.xerial.snappy.SnappyInputStream;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
        byte[] out = new byte[50];
        try {
            in.read(out);
        }
        catch (Exception ignored) {
        }
    }
}

Impact

Denial of Service of applications dependent on snappy-java especially if ExitOnOutOfMemoryError or CrashOnOutOfMemoryError is configured on the JVM.

Credits

Jan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team.

We kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.

Release Notes

xerial/snappy-java (org.xerial.snappy:snappy-java)

v1.1.10.4

Compare Source

What's Changed
Security Fix
  • CVE-2023-43642 Fixed SnappyInputStream so as not to allocate too large memory when decompressing data with an extremely large chunk size by @​tunnelshade (code change)
    • This does not affect users only using Snappy.compress/uncompress methods
🚀 Features
🔗 Dependency Updates
🛠 Internal Updates
Other Changes

Full Changelog: xerial/snappy-java@v1.1.10.3...v1.1.10.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested review from a team as code owners September 25, 2023 18:39
@renovate-bot renovate-bot force-pushed the renovate/maven-org.xerial.snappy-snappy-java-vulnerability branch from f011b61 to 2ab2504 Compare September 25, 2023 18:39
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Sep 25, 2023
@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: pubsub Issues related to the googleapis/java-pubsub API. labels Sep 25, 2023
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Sep 25, 2023
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Sep 25, 2023
@diegomarquezp diegomarquezp merged commit 70ba500 into googleapis:main Sep 27, 2023
20 checks passed
@renovate-bot renovate-bot deleted the renovate/maven-org.xerial.snappy-snappy-java-vulnerability branch September 27, 2023 18:17
@release-please release-please bot mentioned this pull request Sep 27, 2023
Merged
gcf-merge-on-green bot pushed a commit that referenced this pull request Sep 27, 2023
@release-please
chore(main): release 1.125.3 (#1747)
13ee698 
🤖 I have created a release *beep* *boop*
---


## [1.125.3](https://togithub.com/googleapis/java-pubsub/compare/v1.125.2...v1.125.3) (2023-09-27)


### Dependencies

* Update dependency com.google.cloud:google-cloud-core to v2.24.1 ([#1737](https://togithub.com/googleapis/java-pubsub/issues/1737)) ([48a4432](https://togithub.com/googleapis/java-pubsub/commit/48a44321ad34edd8c297ccc57445ec36916171cb))
* Update dependency com.google.cloud:google-cloud-shared-dependencies to v3.16.1 ([#1738](https://togithub.com/googleapis/java-pubsub/issues/1738)) ([e2cf7c1](https://togithub.com/googleapis/java-pubsub/commit/e2cf7c110b72dff695a46a972687a595216934e6))
* Update dependency org.apache.avro:avro to v1.11.3 ([#1740](https://togithub.com/googleapis/java-pubsub/issues/1740)) ([971b35f](https://togithub.com/googleapis/java-pubsub/commit/971b35f5d26263ef3c1d83b6282680ac1608c032))
* Update dependency org.xerial.snappy:snappy-java to v1.1.10.4 [security] ([#1742](https://togithub.com/googleapis/java-pubsub/issues/1742)) ([70ba500](https://togithub.com/googleapis/java-pubsub/commit/70ba500cc014cb9d0e1799997aa0682239b97cde))
* Update dependency org.xerial.snappy:snappy-java to v1.1.10.5 ([#1746](https://togithub.com/googleapis/java-pubsub/issues/1746)) ([a4b1994](https://togithub.com/googleapis/java-pubsub/commit/a4b199414cad5cb061330832b2bf2a8bbe76bcbd))

---
This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diegomarquezp diegomarquezp diegomarquezp approved these changes

Assignees
No one assigned
Labels
api: pubsub Issues related to the googleapis/java-pubsub API. size: xs Pull request size is extra small.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@renovate-bot @diegomarquezp @yoshi-kokoro