Beware of Snappy-java Compression Library Vulnerability

CVECVE-2023-34455
CVSScvssV3_1: 7.5
SourceCVE-2023-34455

Snappy-java is a popular Java library used for compressing and decompressing data. However, versions prior to 1.1.10.1 of this library are vulnerable to a serious out of memory error.

The vulnerability arises due to the lack of proper input validation when decompressing compressed chunks. The library fails to check if the length of an incoming chunk is within safe limits. A malicious actor can craft a specially crafted compressed file or stream with an extremely large or negative chunk length.

When the decompression routine tries allocating memory based on this unexpected input, it could result in exceptions like NegativeArraySizeException or a more serious OutOfMemoryError. This will cause the Java application using the vulnerable snappy-java library to crash. In a worst case scenario, the crash may even allow execution of arbitrary code.

The best way to protect yourself is to immediately update to the latest 1.1.10.1 version of snappy-java which fixes this issue. You should also audit any applications or services using snappy-java to decompress untrusted data and apply the update as soon as possible. Proper input validation on length fields can prevent the exploitation of such vulnerabilities.

References