rdblue opened a new issue, #16458: URL: https://github.com/apache/iceberg/issues/16458
> This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution. > > Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them. # Summary Multiple Parquet decoders allocate heap directly from file-controlled sizes without hard caps, creating read-time heap denial of service paths. # Affected Maven coordinates * primary shipped client artifact: `org.apache.iceberg:iceberg-arrow` # Attacker prerequisites * ability to make the target process parse attacker-controlled or semi-trusted table data or metadata * enough repetition or input size to trigger the unchecked allocation or crash path # Impact * A crafted Parquet page can trigger large heap allocations before row-level limits or caller-visible batch sizes reduce the work. * The likely failure mode is JVM heap exhaustion or repeated GC pressure severe enough to deny service. # Proof status Source review only. The issue is visible directly from source. # Key source references * org.apache.iceberg.arrow.vectorized.parquet.VectorizedDeltaEncodedValuesReader * org.apache.iceberg.arrow.vectorized.parquet.BaseVectorizedParquetValuesReader * org.apache.iceberg.arrow.vectorized.parquet.VectorizedByteStreamSplitValuesReader * org.apache.iceberg.arrow.vectorized.parquet.VectorizedDeltaLengthByteArrayValuesReader * org.apache.iceberg.arrow.vectorized.parquet.VectorizedDeltaByteArrayValuesReader Current severity assessment [2]: Moderate [1] https://iceberg.apache.org/security/ [2] https://security.apache.org/blog/severityrating/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
