fvaleri commented on code in PR #531:
URL: https://github.com/apache/kafka-site/pull/531#discussion_r1252910476
##
cve-list.html:
##
@@ -9,6 +9,44 @@ Apache Kafka Security Vulnerabilities
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+ https://nvd.nist.gov/vuln/detail/CVE-2023-34455;>CVE-2023-34455
Clients using Snappy compression may cause out of memory error on brokers
+
+ This CVE identifies a vulnerability in snappy-java which could be
used to cause an Out-of-Memory (OOM) condition, leading to
Denial-of-Service(DoS) on the Kafka broker.
+ The vulnerability allows any user who can producer data to the
broker to exploit the vulnerability by sending a malicious payload in the
record which is compressed using snappy. For more details on the vulnerability,
please refer to the following
+ link: https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh;>snappy-java
GitHub advisory.
+
+
+
+
+
+ Versions affected
+ 0.8.0 - 3.5.0
+
+
+ Fixed versions
+ 3.5.1 (in-progress, https://lists.apache.org/thread/fkqy14bx8dc2ffrtvxyrg5f9fobjd2fd;>tentative
release end of July 2023)
+
+
+ Impact
+ This vulnerability allows any user who can produce data to the
broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM)
condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be
exploited
+by sending a malicious payload in the record which is compressed
using snappy. On receiving the record, the broker will try to de-compress the
record to perform record validation and
+it will https://github.com/apache/kafka/blob/c97b88d5db4de28d9f51bb11fb71ddd6217c7dda/clients/src/main/java/org/apache/kafka/common/compress/SnappyFactory.java#L44;>delegate
decompression to snappy-java library.
+The vulnerability in the snappy-java library may cause allocation
of an unexpected amount of heap memory, causing an OOM on the broker. Any
configured quota will not be able to prevent this because a single record can
exploit this vulnerability.
+
+
+
+ Advice
+ We advise all Kafka users to promptly upgrade to the latest
version of snappy-java (1.1.10.1) to mitigate this vulnerability.
Review Comment:
```suggestion
We advise all Kafka users to promptly upgrade to the latest
version of snappy-java (1.1.10.1) to mitigate this vulnerability.
```
##
cve-list.html:
##
@@ -9,6 +9,44 @@ Apache Kafka Security Vulnerabilities
This page lists all security vulnerabilities fixed in released versions of
Apache Kafka.
+ https://nvd.nist.gov/vuln/detail/CVE-2023-34455;>CVE-2023-34455
Clients using Snappy compression may cause out of memory error on brokers
+
+ This CVE identifies a vulnerability in snappy-java which could be
used to cause an Out-of-Memory (OOM) condition, leading to
Denial-of-Service(DoS) on the Kafka broker.
+ The vulnerability allows any user who can producer data to the
broker to exploit the vulnerability by sending a malicious payload in the
record which is compressed using snappy. For more details on the vulnerability,
please refer to the following
+ link: https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh;>snappy-java
GitHub advisory.
+
+
+
+
+
+ Versions affected
+ 0.8.0 - 3.5.0
+
+
+ Fixed versions
+ 3.5.1 (in-progress, https://lists.apache.org/thread/fkqy14bx8dc2ffrtvxyrg5f9fobjd2fd;>tentative
release end of July 2023)
+
+
+ Impact
+ This vulnerability allows any user who can produce data to the
broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM)
condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be
exploited
Review Comment:
Extra space at the start.
```suggestion
This vulnerability allows any user who can produce data to the
broker to exploit the vulnerability, potentially causing an Out-of-Memory (OOM)
condition, leading to Denial-of-Service(DoS) on the Kafka broker. It could be
exploited
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
