deps: update dependency org.xerial.snappy:snappy-java to v1.1.10.4 [security] #1742
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.1.10.3
->1.1.10.4
GitHub Vulnerability Alerts
CVE-2023-43642
Summary
snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.
Scope
All versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4
Details
While performing mitigation efforts related to CVE-2023-34455 in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in this commit. The check on line 421 only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually attempting to allocate the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.
PoC
Compile and run the following code:
Impact
Denial of Service of applications dependent on snappy-java especially if
ExitOnOutOfMemoryError
orCrashOnOutOfMemoryError
is configured on the JVM.Credits
Jan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team.
We kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.
Release Notes
xerial/snappy-java (org.xerial.snappy:snappy-java)
v1.1.10.4
Compare Source
What's Changed
Security Fix
🚀 Features
🔗 Dependency Updates
🛠 Internal Updates
Other Changes
Full Changelog: xerial/snappy-java@v1.1.10.3...v1.1.10.4
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.