[jira] [Created] (CASSANDRA-14433) DoS attack through PagingState

Tue, 01 May 2018 17:54:12 -0700 

Yang Yu created CASSANDRA-14433:
-----------------------------------

             Summary: DoS attack through PagingState
                 Key: CASSANDRA-14433
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14433
             Project: Cassandra
          Issue Type: Bug
          Components: Core
            Reporter: Yang Yu


According to this manual 
[page|https://docs.datastax.com/en/developer/java-driver/3.5/manual/paging/], 
the paging state can be returned to and received from end users. This means end 
users can inject malicious content into the paging state in order to attack the 
server.

One way is to forge a paging state with a very large partition key size. The 
forged paging state will be passed through the driver and consumed by the 
server and cause OutOfMemoryError:
{noformat}
java.lang.OutOfMemoryError: Java heap space
at org.apache.cassandra.utils.ByteBufferUtil.read(ByteBufferUtil.java:401) 
~[apache-cassandra-3.11.2.jar:3.11.2]
at 
org.apache.cassandra.utils.ByteBufferUtil.readWithVIntLength(ByteBufferUtil.java:340)
 ~[apache-cassandra-3.11.2.jar:3.11.2]
at 
org.apache.cassandra.service.pager.PagingState.deserialize(PagingState.java:78) 
~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.cql3.QueryOptions$Codec.decode(QueryOptions.java:432) 
~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.cql3.QueryOptions$Codec.decode(QueryOptions.java:366) 
~[apache-cassandra-3.11.2.jar:3.11.2]
at 
org.apache.cassandra.transport.messages.ExecuteMessage$1.decode(ExecuteMessage.java:46)
 ~[apache-cassandra-3.11.2.jar:3.11.2]
at 
org.apache.cassandra.transport.messages.ExecuteMessage$1.decode(ExecuteMessage.java:42)
 ~[apache-cassandra-3.11.2.jar:3.11.2]
at 
org.apache.cassandra.transport.Message$ProtocolDecoder.decode(Message.java:281) 
~[apache-cassandra-3.11.2.jar:3.11.2]
at 
org.apache.cassandra.transport.Message$ProtocolDecoder.decode(Message.java:262) 
~[apache-cassandra-3.11.2.jar:3.11.2]
at 
io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88)
 [netty-all-4.0.44.Final.jar:4.0.44.Final]
 {noformat}

The paging state used to cause the above exception is shown below. The encoded 
partition key size is 2G.
{noformat}
00180010f077359400736f6d654b65790900026331040000002a0a006a66e551aa30a3ac47e693ab43bd29a90004
{noformat}

This issue is especially serious is a multi-tenant environment, as one 
malicious tenant can affect all other tenants.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to