This is an automated email from the ASF dual-hosted git repository.
divijv pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 52e8dcec Add CVE-2023-34455 to cve-list (#531)
52e8dcec is described below
commit 52e8dcecb1a0becdb7ff414d5f37b29e8134b389
Author: Divij Vaidya <[email protected]>
AuthorDate: Wed Jul 5 12:56:46 2023 +0200
Add CVE-2023-34455 to cve-list (#531)
Reviewers: Mickael Maison <[email protected]>, Luke Chen
<[email protected]>, Federico Valeri <[email protected]>
---
cve-list.html | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/cve-list.html b/cve-list.html
index 3d90e0f8..055b050a 100644
--- a/cve-list.html
+++ b/cve-list.html
@@ -9,6 +9,44 @@
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+ <h2 id="CVE-2023-34455"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-34455";>CVE-2023-34455</a>
Clients using Snappy compression may cause out of memory error on brokers</h2>
+
+ <p> This CVE identifies a vulnerability in snappy-java which could be
used to cause an Out-of-Memory (OOM) condition, leading to
Denial-of-Service(DoS) on the Kafka broker.
+ The vulnerability allows any user who can producer data to the
broker to exploit the vulnerability by sending a malicious payload in the
record which is compressed using snappy. For more details on the vulnerability,
please refer to the following
+ link: <a
href="https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh";>snappy-java
GitHub advisory.</a>
+ </p>
+
+ <table class="data-table">
+ <tbody>
+ <tr>
+ <td>Versions affected</td>
+ <td>0.8.0 - 3.5.0</td>
+ </tr>
+ <tr>
+ <td>Fixed versions</td>
+ <td>3.5.1 (in-progress, <a
href="https://lists.apache.org/thread/fkqy14bx8dc2ffrtvxyrg5f9fobjd2fd";>tentative
release end of July 2023</a>)</td>
+ </tr>
+ <tr>
+ <td>Impact</td>
+ <td>This vulnerability allows any user who can produce data to the
broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM)
condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be
exploited
+ by sending a malicious payload in the record which is compressed
using snappy. On receiving the record, the broker will try to de-compress the
record to perform record validation and
+ it will <a
href="https://github.com/apache/kafka/blob/c97b88d5db4de28d9f51bb11fb71ddd6217c7dda/clients/src/main/java/org/apache/kafka/common/compress/SnappyFactory.java#L44";>delegate
decompression to snappy-java library</a>.
+ The vulnerability in the snappy-java library may cause allocation
of an unexpected amount of heap memory, causing an OOM on the broker. Any
configured quota will not be able to prevent this because a single record can
exploit this vulnerability.
+ </td>
+ </tr>
+ <tr>
+ <td>Advice</td>
+ <td>We advise all Kafka users to promptly upgrade to a version of
snappy-java (>=1.1.10.1) to mitigate this vulnerability.
+ The latest version (1.1.10.1, as of July 5, 2023) of snappy-java
is backward compatible with all affected versions of Kafka. The affected
library jar for snappy-java should be replaced with this newer version.
+ </td>
+ </tr>
+ <tr>
+ <td>Issue announced</td>
+ <td>5 Jul 2023</td>
+ </tr>
+ </tbody>
+ </table>
+
<h2 id="CVE-2023-25194"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-25194";>CVE-2023-25194</a>
Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule
configuration using Apache Kafka Connect API </h2>
<p>A possible security vulnerability has been identified in Apache Kafka
Connect API.
