You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Yang Yu (JIRA)" <ji...@apache.org> on 2018/05/03 17:23:00 UTC
[jira] [Comment Edited] (CASSANDRA-14433) DoS attack through
PagingState
[ https://issues.apache.org/jira/browse/CASSANDRA-14433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16462801#comment-16462801 ]
Yang Yu edited comment on CASSANDRA-14433 at 5/3/18 5:22 PM:
-------------------------------------------------------------
I'm not very familiar with Cassandra codebase, but it seems that one cause of this issue is that there is no validation to make sure the prefixed length is in line with the remaining buffer size. Cassandra driver does this checking effectively in com.datastax.driver.core.PagingState.PagingState(byte[] complete):
{noformat}
if (pagingSize + hashSize != pagingStateBB.remaining() && pagingSize + hashSize + 2 != pagingStateBB.remaining())
{noformat}
You are right that an untrusted client can still cause OOM by sending many requests, but it will be much harder.
was (Author: yyu):
I'm not very familiar with Cassandra codebase, but it seems that one cause of this issue is that there is no validation to make sure the prefixed length is in line with the remaining buffer size. Cassandra driver does this checking effectively in com.datastax.driver.core.PagingState.PagingState(byte[] complete):
{noformat}
if (pagingSize + hashSize != pagingStateBB.remaining() && pagingSize + hashSize + 2 != pagingStateBB.remaining())
{noformat}
You are right that an untrusted client can still cause OOM bying sending many requests, but it will be much harder.
> DoS attack through PagingState
> ------------------------------
>
> Key: CASSANDRA-14433
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14433
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Reporter: Yang Yu
> Priority: Major
>
> According to [this manual page|https://docs.datastax.com/en/developer/java-driver/3.5/manual/paging/], the paging state can be returned to and received from end users. This means end users can inject malicious content into the paging state in order to attack the server.
> One way is to forge a paging state with a very large partition key size. The forged paging state will be passed through the driver and consumed by the server and cause OutOfMemoryError:
> {noformat}
> java.lang.OutOfMemoryError: Java heap space
> at org.apache.cassandra.utils.ByteBufferUtil.read(ByteBufferUtil.java:401) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.utils.ByteBufferUtil.readWithVIntLength(ByteBufferUtil.java:340) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.service.pager.PagingState.deserialize(PagingState.java:78) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.cql3.QueryOptions$Codec.decode(QueryOptions.java:432) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.cql3.QueryOptions$Codec.decode(QueryOptions.java:366) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.transport.messages.ExecuteMessage$1.decode(ExecuteMessage.java:46) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.transport.messages.ExecuteMessage$1.decode(ExecuteMessage.java:42) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.transport.Message$ProtocolDecoder.decode(Message.java:281) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at org.apache.cassandra.transport.Message$ProtocolDecoder.decode(Message.java:262) ~[apache-cassandra-3.11.2.jar:3.11.2]
> at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> {noformat}
> The paging state used to cause the above exception is shown below. The encoded partition key size is 2G.
> {noformat}
> 00180010f077359400736f6d654b65790900026331040000002a0a006a66e551aa30a3ac47e693ab43bd29a90004
> {noformat}
> Essentially, this issue is very similar to the "DoS User Specified Object Allocation" example in [this OWASP page|https://www.owasp.org/index.php/Denial_of_Service]. It is especially serious in a multi-tenant environment, as one malicious tenant can affect all other tenants.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org