CVE-2023-34455 - Unchecked Chunk Length Leads to Fatal Error in Snappy-Java Prior to Version 1.1.10.1

Snappy-Java is a high-performance compressor and decompressor library used in Java applications. A security vulnerability has been identified in versions prior to 1.1.10.1, where an unchecked chunk length can lead to an unrecoverable fatal error. This post delves into the details of this CVE-2023-34455 vulnerability, the associated code in the SnappyInputStream.java file, and how to fix it.

Here's the relevant code snippet from the function hasNextChunk in the SnappyInputStream.java file

private boolean hasNextChunk() throws IOException {
  if (!ensureRead(4)) {
    return false;
  }
  // Read 4 bytes as chunkSize
  int chunkSize = readInt();
  if (chunkSize == ) {
    return false;
  }
  ensureNextOutputHasSize(, uncompressedDirectBuf.remaining());
…

Issue Details

The function hasNextChunk, which checks if there are any more chunks to read from a given stream, tries to read 4 bytes. If it can't read 4 bytes, it returns false. In cases where 4 bytes are available, the code uses these bytes as the length of the next chunk (chunkSize).

The issue arises when the compressed variable is null, and a byte array is allocated with a size provided by the input data. The code doesn't validate the legality of the chunkSize variable, which means it could be possible to pass a negative number (e.g., xFFFFFFFF, or -1). This would cause a java.lang.NegativeArraySizeException exception. In even worse scenarios, passing a very large positive value (e.g., x7FFFFFFF) could lead to the fatal java.lang.OutOfMemoryError error.

Original References

- Snappy-Java GitHub Repository
- CVE-2023-34455 Details
- Snappy-Java 1.1.10.1 Release Notes

Patch and Solution

Developers using the Snappy-Java library should update their projects to use version 1.1.10.1 or later, as this version contains a patch that addresses the issue. To update the Snappy-Java dependency, simply modify your project's build configuration file (such as pom.xml for Maven or build.gradle for Gradle) with the updated version number:

<!-- Maven -->
<dependency>
  <groupId>org.xerial.snappy</groupId>
  <artifactId>snappy-java</artifactId>
  <version>1.1.10.1</version>
</dependency>

// Gradle
implementation 'org.xerial.snappy:snappy-java:1.1.10.1'

Conclusion

This CVE-2023-34455 vulnerability highlights the importance of validating input data, even for seemingly trivial errors like passing negative or excessively large values. With the patch applied in version 1.1.10.1, Snappy-Java users can now avoid potentially serious consequences from this issue. Make sure to update your Snappy-Java library to the latest version in your projects to ensure you are protected from this issue.

Timeline

Published on: 06/15/2023 18:15:09 UTC
Last modified on: 08/18/2023 14:15:23 UTC