CVE-2023-3635 - GzipSource Vulnerability May Lead to Denial of Service in Okio Clients

CVE-2023-3635 refers to a security vulnerability in the GzipSource Java class of the Okio library, a widely-used I/O library for Android and Java applications. The vulnerability arises from GzipSource's inability to handle exceptions when parsing malformed GZIP buffer. As a result, an attacker could exploit the vulnerability to craft a GZIP archive that triggers a Denial of Service (DoS) in Okio clients. In this post, we will explore the details of the vulnerability, provide code snippets for better understanding, and share links to the original references.

The Vulnerability

The root cause of this vulnerability lies in the absence of proper error handling in GzipSource's implementation. When parsing a malformed gzip buffer, the library fails to adequately address potential exceptions. Consequently, an attacker could craft a GZIP archive that, when processed by GzipSource, causes an Okio client to either crash or become unresponsive.

The following code snippet showcases the vulnerability in GzipSource's read method

public long read(Buffer sink, long byteCount) throws IOException {
    ...
    while (sourceExhausted && !inflater.needsInput()) {
        ...
        int headerCRC32 = (int) inflaterFooterSource.readLeInt();
        ...
    }
    ...
}


In this code snippet, the inflaterFooterSource.readLeInt() call can throw an IOException when attempting to read a malformed gzip buffer. However, GzipSource does not handle this exception, resulting in unwanted behavior and a potential denial of service.

The following code snippet demonstrates how an attacker might exploit the vulnerability, by crafting a GZIP archive that triggers the exception:

public static void main(String[] args) {
    byte[] gzipBytes = createMalformedGzip();
    ByteString gzipByteString = ByteString.of(gzipBytes);
    GzipSource gzipSource = new GzipSource(gzipByteString.asInputStream());
    Buffer sink = new Buffer();
    try {
        gzipSource.read(sink, gzipBytes.length);
    } catch (IOException e) {
        e.printStackTrace();
    }
}


By executing this code snippet, the Okio client will process the crafted GZIP archive and potentially crash or become unresponsive.

Original References

1. Okio GitHub repository: https://github.com/square/okio
2. GzipSource.java source code: https://github.com/square/okio/blob/master/okio/src/main/java/okio/GzipSource.java

Mitigation

The recommended mitigation for this vulnerability is to update the Okio library to the latest version, where the issue has been resolved. Developers should ensure they are using the patched version of GzipSource to prevent exploitation of CVE-2023-3635.

Conclusion

In conclusion, CVE-2023-3635 refers to a critical vulnerability in the GzipSource Java class of the Okio library. The malfunction lies in GzipSource's failure to handle exceptions and may lead to a denial of service in Okio clients when handling a specially crafted GZIP archive. Developers should ensure they are using the patched version of the Okio library to guard against this vulnerability.

Timeline

Published on: 07/12/2023 19:15:00 UTC
Last modified on: 07/26/2023 16:24:00 UTC