[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17610078#comment-17610078 ] Manikumar commented on KAFKA-14063: --- There wont be official PR. Yes, you can pickup the commit from respective branch > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17609820#comment-17609820 ] Swathi Mocharla commented on KAFKA-14063: - hi [~omkreddy], Will there be an official PR created for this commit, or can we pick up the commits you've mentioned in your previous comment? > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17608468#comment-17608468 ] MillieZhang commented on KAFKA-14063: - [~omkreddy] thanks a lot :) > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17608137#comment-17608137 ] Manikumar commented on KAFKA-14063: --- This is the commit for 2.8 branch: https://github.com/apache/kafka/commit/14951a83e3fdead212156e5532359500d72f68bc > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[
https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17608126#comment-17608126
]
MillieZhang commented on KAFKA-14063:
-
Is it possible to consider that the vulnerability is fixed by this commit?
{code:java}
Revision: b7dd40ff2bfb4e0cd726c1168e039d828daf113d
Author: Manikumar Reddy
Date: 2022/5/16 21:55:02
Message:
MINOR: Add configurable max receive size for SASL authentication requests
This adds a new configuration `sasl.server.max.receive.size` that sets the
maximum receive size for requests before and during authentication.
Reviewers: Tom Bentley , Mickael Maison
Co-authored-by: Manikumar Reddy
Co-authored-by: Mickael Maison
Modified: checkstyle/suppressions.xml
Modified:
clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
Modified:
clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
Modified:
clients/src/test/java/org/apache/kafka/common/security/TestSecurityConfig.java
Modified:
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java
Modified:
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticatorTest.java
Modified: core/src/main/scala/kafka/server/KafkaConfig.scala
Modified: core/src/test/scala/unit/kafka/server/KafkaConfigTest.scala {code}
> CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic
> payloads
> -
>
> Key: KAFKA-14063
> URL: https://issues.apache.org/jira/browse/KAFKA-14063
> Project: Kafka
> Issue Type: Bug
> Components: generator
>Affects Versions: 3.2.0
>Reporter: Daniel Collins
>Priority: Major
> Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3
>
>
> When parsing code receives a payload for a variable length field where the
> length is specified in the code as some arbitrarily large number (assume
> INT32_MAX for example) this will immediately try to allocate an ArrayList to
> hold this many elements, before checking whether this is a reasonable array
> size given the available data.
> The fix for this is to instead throw a runtime exception if the length of a
> variably sized container exceeds the amount of remaining data. Then, the
> worst a user can do is force the server to allocate 8x the size of the actual
> delivered data (if they claim there are N elements for a container of Objects
> (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in
> the ArrayList's backing array).
> This was identified by fuzzing the kafka request parsing code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
