Impacted Versions
- Confluent Platform versions 7.4.0, <= CP 7.3.3, <= CP 7.2.5, <= CP 7.1.7, <=CP 7.0.9, <= CP 6.2.10, <= CP 6.1.11, <= CP 6.0.13
Recommended Action
- Upgrade to CP 7.4.1, 7.3.4, 7.2.6, 7.1.8, 7.0.10, 6.2.11, 6.1.12, 6.0.14.
- Confluent Cloud is not affected and no further action is necessary.
Issue
A security issue was discovered in Confluent Platform due to the use of a vulnerable dependency: org.xerial.snappy-java version < 1.1.10.1 that was identified to be affected by CVE-2023-34455. A malformed compressed input provided by a Kafka client could result in the crash of the Kafka broker. Specifically, unchecked multiplications or unchecked chunk length in the Snappy library versions < 1.1.10.1 may lead to fatal memory access violations or memory exhaustion leading to a process termination. Processing of such malformed inputs could lead to Denial of Service (DoS) conditions that could have adverse impact on the availability of Confluent Platform components.
Remediation
We have included fixes in the updated Confluent Platform 7.4.1, 7.3.4, 7.2.6, 7.1.8, 7.0.10, 6.2.11, 6.1.12 and CP 6.0.14. These fixes adequately address this issue, by updating the vulnerable library snappy-java version to 1.1.10.1 that contains a patch for this vulnerability.
CVSS Score: 7.5
CVSS v3.1 Calculator:
Update (Added on Aug 3, 2023)
Regardless of the compression type originally specified on a Kafka topic or broker configuration, malformed inputs (provided by a rogue authenticated and authorized Kafka Producer) could result in adverse impact to the availability of the Kafka broker due to this vulnerability.
Change Log
Date | Details |
Aug 3, 2023 | Added an update to clarify conditions of impact in the context of Confluent Platform impacted versions |
Jul 31, 2023 | CONFSA-2023-06 initially published |