Cruise-control is the first of its kind to fully automate the dynamic workload rebalance and self-healing of a Kafka cluster. It provides great value to Kafka users by simplifying the operation of Kafka clusters.
snappy-java is a Java port of the snappy, a fast C++ compressor/decompressor developed by Google. The SnappyInputStream component in snappy-java has been found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to a missing upper bound check on chunk length, an unrecoverable fatal error can occur, leading to a DoS condition.
CVE Identifier
CVE-2023-43642
Affected Versions
This vulnerability affects snappy-java versions up to and including 1.1.10.3.
Fixed Version
This vulnerability has been addressed in snappy-java version 1.1.10.4. The current version of snappy-java is 1.1.10.5.
Impact
An attacker can exploit this vulnerability to trigger a DoS condition by sending specially crafted compressed data to the application.
Resolution
Users are strongly advised to upgrade to snappy-java version 1.1.10.5, which contains the fix for this vulnerability. Users who are unable to upgrade immediately are advised to exercise caution and only accept compressed data from trusted sources to mitigate the risk associated with this vulnerability.
Description
snappy-java is a Java port of the snappy, a fast C++ compressor/decompressor developed by Google. The SnappyInputStream component in snappy-java has been found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to a missing upper bound check on chunk length, an unrecoverable fatal error can occur, leading to a DoS condition.
CVE Identifier
CVE-2023-43642
Affected Versions
This vulnerability affects snappy-java versions up to and including 1.1.10.3.
Fixed Version
This vulnerability has been addressed in snappy-java version 1.1.10.4. The current version of snappy-java is 1.1.10.5.
Impact
An attacker can exploit this vulnerability to trigger a DoS condition by sending specially crafted compressed data to the application.
Resolution
Users are strongly advised to upgrade to snappy-java version 1.1.10.5, which contains the fix for this vulnerability. Users who are unable to upgrade immediately are advised to exercise caution and only accept compressed data from trusted sources to mitigate the risk associated with this vulnerability.
References