CVE-2023-43642
Denial of Service (DoS) vulnerability in snappy-java (Maven)
What is CVE-2023-43642 About?
This vulnerability in snappy-java's SnappyInputStream allows attackers to trigger a Denial of Service (DoS) by providing specially crafted compressed data with an excessively large chunk size. The absence of an upper bound check on chunk length can lead to an `OutOfMemoryError`, making exploitation relatively straightforward for an attacker who can supply malicious input.
Affected Software
Technical Details
The snappy-java library's SnappyInputStream component is vulnerable due to a critical oversight in handling chunk lengths during decompression. Specifically, the fix for CVE-2023-34455 only added a negative value check (chunkSize is not negative) but failed to implement an upper-bounds check for overly large positive values, such as 0x7FFFFFFF. When a malformed compressed data stream containing a chunk size exceeding memory limits is passed to SnappyInputStream, the library attempts to allocate an inappropriate and massive number of bytes on the heap based on this unchecked 'chunkSize' variable. This leads to a java.lang.OutOfMemoryError exception, directly impacting application availability and resulting in a Denial of Service condition if the JVM is configured to exit or crash on such errors. An attacker only needs to craft a specific byte sequence as input to trigger this memory exhaustion.
What is the Impact of CVE-2023-43642?
Successful exploitation may allow attackers to cause applications to consume excessive memory, leading to an `OutOfMemoryError` and subsequently a denial of service, rendering the application unavailable.
What is the Exploitability of CVE-2023-43642?
Exploitation of this vulnerability is of low to medium complexity, primarily requiring the ability to provide specially crafted input data to the affected SnappyInputStream. There are no explicit authentication or privilege requirements, as the vulnerability resides in the data decompression process itself. This is likely a remote vulnerability if compressed data can be ingested from external sources. The primary constraint is the attacker's ability to control or inject malformed compressed data into the application. Risk factors increasing exploitation likelihood include applications that process untrusted compressed data without validation and those running on JVMs configured to terminate on OutOfMemoryError.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-43642?
Available Upgrade Options
- org.xerial.snappy:snappy-java
- <1.1.10.4 → Upgrade to 1.1.10.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-43642
- https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
- https://osv.dev/vulnerability/GHSA-55g7-9cwv-5qfv
- https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5
- https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
- https://github.com/xerial/snappy-java
- https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4
- https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv
What are Similar Vulnerabilities to CVE-2023-43642?
Similar Vulnerabilities: CVE-2023-34455 , CVE-2023-33202 , CVE-2023-30798 , CVE-2022-21448 , CVE-2021-35515
