CVE-2023-34454
Denial of Service vulnerability in snappy-java (Maven)
What is CVE-2023-34454 About?
This vulnerability in snappy-java library allows for a Denial of Service (DoS) due to unchecked integer multiplications that can lead to an integer overflow. When compressing large input arrays, the multiplication can result in a negative array size or small buffer allocation, causing `NegativeArraySizeException` or an `EXCEPTION_ACCESS_VIOLATION`. Exploitation is relatively easy by providing a large input to compression functions.
Affected Software
Technical Details
The snappy-java library is vulnerable to a Denial of Service (DoS) due to integer overflow in its compress functions, specifically within compress(char[] input). When a large character array (e.g., 0x40000000 length) is passed to compress, the function calculates input.length * 2 to determine the raw buffer size. This multiplication can lead to an integer overflow, resulting in a negative value. If rawCompress receives a negative byteSize, Snappy.maxCompressedLength might return a value that, when cast back to a signed integer by Java, also becomes negative. This triggers a java.lang.NegativeArraySizeException during buffer allocation. Alternatively, if the overflow results in a small positive size, a buffer that is too small is allocated, leading to an EXCEPTION_ACCESS_VIOLATION during the native compression process, both causing unrecoverable fatal errors.
What is the Impact of CVE-2023-34454?
Successful exploitation may allow attackers to cause applications to crash or become unresponsive due to `NegativeArraySizeException` or `EXCEPTION_ACCESS_VIOLATION`, leading to a denial of service.
What is the Exploitability of CVE-2023-34454?
Exploitation of this Denial of Service vulnerability is of low complexity. An attacker needs to supply a very large input array (e.g., a character array close to the maximum integer size) to the compress functions (e.g., Snappy.compress(char[] input)). There are no specific authentication or privilege requirements to trigger this, assuming the attacker can send arbitrary data for compression. This can be a remote vulnerability if the application accepts large, untrusted data to be compressed. The primary prerequisite is that the application uses an affected version of snappy-java and allows processing of sufficiently large untrusted inputs to its compression functions. Risk factors include processing user-supplied data for compression without size validation, especially in contexts where large payloads are expected.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34454?
Available Upgrade Options
- org.xerial.snappy:snappy-java
- <1.1.10.1 → Upgrade to 1.1.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/xerial/snappy-java/security/advisories/GHSA-fjpj-2g6w-x25r
- https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422
- https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169
- https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94
- https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94
- https://github.com/xerial/snappy-java
What are Similar Vulnerabilities to CVE-2023-34454?
Similar Vulnerabilities: CVE-2023-43642 , CVE-2023-33202 , CVE-2023-30798 , CVE-2022-21448 , CVE-2021-35515
