You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "MillieZhang (Jira)" <ji...@apache.org> on 2022/09/22 07:57:00 UTC

[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads

    [ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608126#comment-17608126 ] 

MillieZhang commented on KAFKA-14063:
-------------------------------------

Is it possible to consider that the vulnerability is fixed by this commit?
{code:java}
Revision: b7dd40ff2bfb4e0cd726c1168e039d828daf113d
Author: Manikumar Reddy <ma...@gmail.com>
Date: 2022/5/16 21:55:02
Message:
MINOR: Add configurable max receive size for SASL authentication requests
This adds a new configuration `sasl.server.max.receive.size` that sets the maximum receive size for requests before and during authentication.
Reviewers: Tom Bentley <tb...@redhat.com>, Mickael Maison <mi...@gmail.com>
Co-authored-by: Manikumar Reddy <ma...@gmail.com>
Co-authored-by: Mickael Maison <mi...@gmail.com>
----
Modified: checkstyle/suppressions.xml
Modified: clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
Modified: clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
Modified: clients/src/test/java/org/apache/kafka/common/security/TestSecurityConfig.java
Modified: clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java
Modified: clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticatorTest.java
Modified: core/src/main/scala/kafka/server/KafkaConfig.scala
Modified: core/src/test/scala/unit/kafka/server/KafkaConfigTest.scala {code}

> CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
> -------------------------------------------------------------------------------------
>
>                 Key: KAFKA-14063
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14063
>             Project: Kafka
>          Issue Type: Bug
>          Components: generator
>    Affects Versions: 3.2.0
>            Reporter: Daniel Collins
>            Priority: Major
>             Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3
>
>
> When parsing code receives a payload for a variable length field where the length is specified in the code as some arbitrarily large number (assume INT32_MAX for example) this will immediately try to allocate an ArrayList to hold this many elements, before checking whether this is a reasonable array size given the available data. 
> The fix for this is to instead throw a runtime exception if the length of a variably sized container exceeds the amount of remaining data. Then, the worst a user can do is force the server to allocate 8x the size of the actual delivered data (if they claim there are N elements for a container of Objects (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in the ArrayList's backing array).
> This was identified by fuzzing the kafka request parsing code.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)