[
https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608126#comment-17608126
]
MillieZhang commented on KAFKA-14063:
-------------------------------------
Is it possible to consider that the vulnerability is fixed by this commit?
{code:java}
Revision: b7dd40ff2bfb4e0cd726c1168e039d828daf113d
Author: Manikumar Reddy <[email protected]>
Date: 2022/5/16 21:55:02
Message:
MINOR: Add configurable max receive size for SASL authentication requests
This adds a new configuration `sasl.server.max.receive.size` that sets the
maximum receive size for requests before and during authentication.
Reviewers: Tom Bentley <[email protected]>, Mickael Maison
<[email protected]>
Co-authored-by: Manikumar Reddy <[email protected]>
Co-authored-by: Mickael Maison <[email protected]>
----
Modified: checkstyle/suppressions.xml
Modified:
clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
Modified:
clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
Modified:
clients/src/test/java/org/apache/kafka/common/security/TestSecurityConfig.java
Modified:
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java
Modified:
clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticatorTest.java
Modified: core/src/main/scala/kafka/server/KafkaConfig.scala
Modified: core/src/test/scala/unit/kafka/server/KafkaConfigTest.scala {code}
> CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic
> payloads
> -------------------------------------------------------------------------------------
>
> Key: KAFKA-14063
> URL: https://issues.apache.org/jira/browse/KAFKA-14063
> Project: Kafka
> Issue Type: Bug
> Components: generator
> Affects Versions: 3.2.0
> Reporter: Daniel Collins
> Priority: Major
> Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3
>
>
> When parsing code receives a payload for a variable length field where the
> length is specified in the code as some arbitrarily large number (assume
> INT32_MAX for example) this will immediately try to allocate an ArrayList to
> hold this many elements, before checking whether this is a reasonable array
> size given the available data.
> The fix for this is to instead throw a runtime exception if the length of a
> variably sized container exceeds the amount of remaining data. Then, the
> worst a user can do is force the server to allocate 8x the size of the actual
> delivered data (if they claim there are N elements for a container of Objects
> (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in
> the ArrayList's backing array).
> This was identified by fuzzing the kafka request parsing code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
