Описание
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit 9f8c3cf74 which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| OpenShift Serverless | snappy-java | Affected | ||
| Red Hat Enterprise Linux 8 | log4j:2/log4j | Will not fix | ||
| Red Hat Enterprise Linux 9 | log4j | Will not fix | ||
| Red Hat JBoss Fuse 6 | snappy-java-all | Out of support scope | ||
| Red Hat JBoss Fuse 6 | snappy-java-all-repolib | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | snappy-java-all | Out of support scope | ||
| Red Hat JBoss Fuse Service Works 6 | snappy-java-all-repolib | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/metrics-cassandra | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-metrics-cassandra | Out of support scope |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.
snappy-java is a Java port of the snappy, a fast C++ compresser/decomp ...
snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact
Уязвимость компонента Visual Analyzer (Snappy) программной платформы Oracle Business Intelligence Enterprise Edition, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3