[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17610078#comment-17610078 ] Manikumar commented on KAFKA-14063: --- There wont be official PR. Yes, you can pickup the commit from respective branch > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17609820#comment-17609820 ] Swathi Mocharla commented on KAFKA-14063: - hi [~omkreddy], Will there be an official PR created for this commit, or can we pick up the commits you've mentioned in your previous comment? > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17608468#comment-17608468 ] MillieZhang commented on KAFKA-14063: - [~omkreddy] thanks a lot :) > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17608137#comment-17608137 ] Manikumar commented on KAFKA-14063: --- This is the commit for 2.8 branch: https://github.com/apache/kafka/commit/14951a83e3fdead212156e5532359500d72f68bc > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17608126#comment-17608126 ] MillieZhang commented on KAFKA-14063: - Is it possible to consider that the vulnerability is fixed by this commit? {code:java} Revision: b7dd40ff2bfb4e0cd726c1168e039d828daf113d Author: Manikumar Reddy Date: 2022/5/16 21:55:02 Message: MINOR: Add configurable max receive size for SASL authentication requests This adds a new configuration `sasl.server.max.receive.size` that sets the maximum receive size for requests before and during authentication. Reviewers: Tom Bentley , Mickael Maison Co-authored-by: Manikumar Reddy Co-authored-by: Mickael Maison Modified: checkstyle/suppressions.xml Modified: clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java Modified: clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java Modified: clients/src/test/java/org/apache/kafka/common/security/TestSecurityConfig.java Modified: clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java Modified: clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticatorTest.java Modified: core/src/main/scala/kafka/server/KafkaConfig.scala Modified: core/src/test/scala/unit/kafka/server/KafkaConfigTest.scala {code} > CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic > payloads > - > > Key: KAFKA-14063 > URL: https://issues.apache.org/jira/browse/KAFKA-14063 > Project: Kafka > Issue Type: Bug > Components: generator >Affects Versions: 3.2.0 >Reporter: Daniel Collins >Priority: Major > Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3 > > > When parsing code receives a payload for a variable length field where the > length is specified in the code as some arbitrarily large number (assume > INT32_MAX for example) this will immediately try to allocate an ArrayList to > hold this many elements, before checking whether this is a reasonable array > size given the available data. > The fix for this is to instead throw a runtime exception if the length of a > variably sized container exceeds the amount of remaining data. Then, the > worst a user can do is force the server to allocate 8x the size of the actual > delivered data (if they claim there are N elements for a container of Objects > (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in > the ArrayList's backing array). > This was identified by fuzzing the kafka request parsing code. -- This message was sent by Atlassian Jira (v8.20.10#820010)