You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "MillieZhang (Jira)" <ji...@apache.org> on 2022/09/22 07:57:00 UTC
[jira] [Commented] (KAFKA-14063) CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
[ https://issues.apache.org/jira/browse/KAFKA-14063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608126#comment-17608126 ]
MillieZhang commented on KAFKA-14063:
-------------------------------------
Is it possible to consider that the vulnerability is fixed by this commit?
{code:java}
Revision: b7dd40ff2bfb4e0cd726c1168e039d828daf113d
Author: Manikumar Reddy <ma...@gmail.com>
Date: 2022/5/16 21:55:02
Message:
MINOR: Add configurable max receive size for SASL authentication requests
This adds a new configuration `sasl.server.max.receive.size` that sets the maximum receive size for requests before and during authentication.
Reviewers: Tom Bentley <tb...@redhat.com>, Mickael Maison <mi...@gmail.com>
Co-authored-by: Manikumar Reddy <ma...@gmail.com>
Co-authored-by: Mickael Maison <mi...@gmail.com>
----
Modified: checkstyle/suppressions.xml
Modified: clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
Modified: clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
Modified: clients/src/test/java/org/apache/kafka/common/security/TestSecurityConfig.java
Modified: clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslAuthenticatorTest.java
Modified: clients/src/test/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticatorTest.java
Modified: core/src/main/scala/kafka/server/KafkaConfig.scala
Modified: core/src/test/scala/unit/kafka/server/KafkaConfigTest.scala {code}
> CVE-2022-34917: Kafka message parsing can cause ooms with small antagonistic payloads
> -------------------------------------------------------------------------------------
>
> Key: KAFKA-14063
> URL: https://issues.apache.org/jira/browse/KAFKA-14063
> Project: Kafka
> Issue Type: Bug
> Components: generator
> Affects Versions: 3.2.0
> Reporter: Daniel Collins
> Priority: Major
> Fix For: 2.8.2, 3.3.0, 3.0.2, 3.1.2, 3.2.3
>
>
> When parsing code receives a payload for a variable length field where the length is specified in the code as some arbitrarily large number (assume INT32_MAX for example) this will immediately try to allocate an ArrayList to hold this many elements, before checking whether this is a reasonable array size given the available data.
> The fix for this is to instead throw a runtime exception if the length of a variably sized container exceeds the amount of remaining data. Then, the worst a user can do is force the server to allocate 8x the size of the actual delivered data (if they claim there are N elements for a container of Objects (i.e. not a byte string) and each Object bottoms out in an 8 byte pointer in the ArrayList's backing array).
> This was identified by fuzzing the kafka request parsing code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)