CVE-2023-34455
Denial of Service vulnerability in snappy-java (Maven)
What is CVE-2023-34455 About?
This vulnerability in snappy-java can lead to a Denial of Service due to unchecked chunk lengths. An attacker can provide specially crafted input that triggers a negative or excessively large array allocation, causing the application to crash. Exploitation is relatively easy by sending malicious compressed data.
Affected Software
Technical Details
The vulnerability exists in the hasNextChunk function of SnappyInputStream.java within the snappy-java library. This function reads 4 bytes to determine the size of the next data chunk. If these 4 bytes represent a negative integer (e.g., 0xFFFFFFFF) or a huge positive value (e.g., 0x7FFFFFFF), the subsequent new byte[chunkSize] allocation will either result in a java.lang.NegativeArraySizeException or a java.lang.OutOfMemoryError respectively. This occurs because the chunkSize variable is not validated for legality before being used to allocate a byte array, allowing an attacker to control the size of memory allocation by manipulating the incoming data stream.
What is the Impact of CVE-2023-34455?
Successful exploitation may allow attackers to cause the application to crash, leading to a complete Denial of Service for affected services or systems.
What is the Exploitability of CVE-2023-34455?
Exploitation is relatively straightforward and requires constructing a specially crafted compressed data stream. The attacker needs to be able to supply malformed input, such as a compressed stream with an invalid chunk length header. There are no specific authentication or privilege requirements to exploit this, as it targets how the application processes input data. This is typically a remote vulnerability, where an attacker sends the malicious data over a network, but could also be local if the application processes local files. The primary condition is that the application uses the vulnerable snappy-java library and processes untrusted compressed input. Risk factors include applications that accept and decompress user-provided data directly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34455?
Available Upgrade Options
- org.xerial.snappy:snappy-java
- <1.1.10.1 → Upgrade to 1.1.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388
- https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java
- https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea
- https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388
- https://security.netapp.com/advisory/ntap-20230818-0009
- https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java
- https://security.netapp.com/advisory/ntap-20230818-0009/
- https://github.com/xerial/snappy-java
- https://nvd.nist.gov/vuln/detail/CVE-2023-34455
What are Similar Vulnerabilities to CVE-2023-34455?
Similar Vulnerabilities: CVE-2022-26284 , CVE-2021-39144 , CVE-2020-13955 , CVE-2019-17571 , CVE-2017-0808
