divijvaidya commented on code in PR #531: URL: https://github.com/apache/kafka-site/pull/531#discussion_r1252929336
########## cve-list.html: ########## @@ -9,6 +9,44 @@ <h1>Apache Kafka Security Vulnerabilities</h1> This page lists all security vulnerabilities fixed in released versions of Apache Kafka. + <h2 id="CVE-2023-34455"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34455";>CVE-2023-34455</a> Clients using Snappy compression may cause out of memory error on brokers</h2> + + <p> This CVE identifies a vulnerability in snappy-java which could be used to cause an Out-of-Memory (OOM) condition, leading to Denial-of-Service(DoS) on the Kafka broker. + The vulnerability allows any user who can producer data to the broker to exploit the vulnerability by sending a malicious payload in the record which is compressed using snappy. For more details on the vulnerability, please refer to the following + link: <a href="https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh";>snappy-java GitHub advisory.</a> + </p> + + <table class="data-table"> + <tbody> + <tr> + <td>Versions affected</td> + <td>0.8.0 - 3.5.0</td> + </tr> + <tr> + <td>Fixed versions</td> + <td>3.5.1 (in-progress, <a href="https://lists.apache.org/thread/fkqy14bx8dc2ffrtvxyrg5f9fobjd2fd";>tentative release end of July 2023</a>)</td> + </tr> + <tr> + <td>Impact</td> + <td> This vulnerability allows any user who can produce data to the broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM) condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be exploited + by sending a malicious payload in the record which is compressed using snappy. On receiving the record, the broker will try to de-compress the record to perform record validation and + it will <a href="https://github.com/apache/kafka/blob/c97b88d5db4de28d9f51bb11fb71ddd6217c7dda/clients/src/main/java/org/apache/kafka/common/compress/SnappyFactory.java#L44";>delegate decompression to snappy-java library</a>. + The vulnerability in the snappy-java library may cause allocation of an unexpected amount of heap memory, causing an OOM on the broker. Any configured quota will not be able to prevent this because a single record can exploit this vulnerability. + </td> + </tr> + <tr> + <td>Advice</td> + <td> We advise all Kafka users to promptly upgrade to the latest version of snappy-java (1.1.10.1) to mitigate this vulnerability. Review Comment: good idea. Fixed in latest commit and rephrased to: ``` to promptly upgrade to a version of snappy-java (>=1.1.10.1) to ``` and ``` The latest version (1.1.10.1, as of July 5, 2023) of snappy-java is backward compatible ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
