You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Yang Yu (JIRA)" <ji...@apache.org> on 2018/05/02 00:53:00 UTC

[jira] [Created] (CASSANDRA-14433) DoS attack through PagingState

Yang Yu created CASSANDRA-14433:
-----------------------------------

             Summary: DoS attack through PagingState
                 Key: CASSANDRA-14433
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14433
             Project: Cassandra
          Issue Type: Bug
          Components: Core
            Reporter: Yang Yu


According to this manual [page|https://docs.datastax.com/en/developer/java-driver/3.5/manual/paging/], the paging state can be returned to and received from end users. This means end users can inject malicious content into the paging state in order to attack the server.

One way is to forge a paging state with a very large partition key size. The forged paging state will be passed through the driver and consumed by the server and cause OutOfMemoryError:
{noformat}
java.lang.OutOfMemoryError: Java heap space
at org.apache.cassandra.utils.ByteBufferUtil.read(ByteBufferUtil.java:401) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.utils.ByteBufferUtil.readWithVIntLength(ByteBufferUtil.java:340) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.service.pager.PagingState.deserialize(PagingState.java:78) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.cql3.QueryOptions$Codec.decode(QueryOptions.java:432) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.cql3.QueryOptions$Codec.decode(QueryOptions.java:366) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.transport.messages.ExecuteMessage$1.decode(ExecuteMessage.java:46) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.transport.messages.ExecuteMessage$1.decode(ExecuteMessage.java:42) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.transport.Message$ProtocolDecoder.decode(Message.java:281) ~[apache-cassandra-3.11.2.jar:3.11.2]
at org.apache.cassandra.transport.Message$ProtocolDecoder.decode(Message.java:262) ~[apache-cassandra-3.11.2.jar:3.11.2]
at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88) [netty-all-4.0.44.Final.jar:4.0.44.Final]
 {noformat}

The paging state used to cause the above exception is shown below. The encoded partition key size is 2G.
{noformat}
00180010f077359400736f6d654b65790900026331040000002a0a006a66e551aa30a3ac47e693ab43bd29a90004
{noformat}

This issue is especially serious is a multi-tenant environment, as one malicious tenant can affect all other tenants.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org