CVE-2023-43642: SnappyInputStream Vulnerability in snappy-java Leading to Denial of Service (DoS) Attacks

CVE-2023-43642 is a critical vulnerability discovered in snappy-java, which is a Java port of the snappy, a high-performance C++ compression/decompression library developed by Google. The vulnerability exists in the SnappyInputStream component and can potentially lead to Denial of Service (DoS) attacks when decompressing data with an excessively large chunk size. All versions of snappy-java, including the latest released version 1.1.10.3, are impacted by this issue.

Code Snippet

The vulnerability arises due to a missing upper bound check on chunk length while decompressing data. Here is a sample code snippet demonstrating the problematic area:

public class SnappyInputStream extends InputStream {
    ...
    private void readFully(byte[] b, int off, int len) throws IOException {
        ...
        while (bytesRead < len) {
            int n = read(b, off + bytesRead, len - bytesRead);
            ...
        }
    }
    ...
}

Original References

1. The snappy-java GitHub repository can be found at: https://github.com/xerial/snappy-java
2. The particular commit that resolves this issue is available here: https://github.com/xerial/snappy-java/commit/9f8c3cf74

Exploit Details

An attacker can exploit this vulnerability by crafting compressed data that includes a malformed chunk size, leading to an unrecoverable fatal error when passed through SnappyInputStream. This can subsequently result in a DoS attack, potentially rendering the target application unresponsive. An example of this type of exploit is provided below:

import org.xerial.snappy.SnappyInputStream;
import java.io.*;

public class ExploitCVE202343642 {
    public static void main(String[] args) {
        final ByteArrayInputStream maliciousData = new ByteArrayInputStream(/*malformed compressed data*/);
        final SnappyInputStream inputStream = new SnappyInputStream(maliciousData);

        try {
            final byte[] buffer = new byte[4096];
            while (inputStream.read(buffer) >= ) {
            }
            inputStream.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

Mitigations and Recommendations

A fix for this vulnerability has been introduced in commit 9f8c3cf74, which will be included in the upcoming 1.1.10.4 release. Users are strongly encouraged to upgrade their snappy-java version to 1.1.10.4 or later once it becomes available. In the meantime, users who are unable to upgrade should only accept compressed data from trusted sources.

For the most up-to-date information and guidance on addressing this vulnerability, please visit the snappy-java GitHub repository at https://github.com/xerial/snappy-java.

Timeline

Published on: 09/25/2023 20:15:00 UTC
Last modified on: 09/26/2023 15:46:00 UTC