Impacted Versions
- Confluent Platform versions <= 7.5.1, <= 7.4.2, <= CP 7.3.5, <= CP 7.2.7, <= CP 7.1.9, <=CP 7.0.11, <= CP 6.2.12, <= CP 6.1.13, <= CP 6.0.15
- Confluent Cloud managed clusters
Recommended Action
- Upgrade your Confluent Platform deployments to versions 7.5.2, 7.4.3, 7.3.6, 7.2.8, 7.1.10, 7.0.12, 6.2.13, 6.1.14
- Please note that Confluent Cloud managed clusters were impacted by this vulnerability and are already fixed. No further action is necessary.
Issue
A security issue was identified to impact both Confluent Platform and Confluent Cloud managed clusters due to the use of a vulnerable dependency org.xerial.snappy-java version 1.1.10.3. This version of snappy-java is affected by a new vulnerability with the reference CVE-2023-43642. This vulnerability is due to an incomplete fix for CVE-2023-34455 where the unchecked multiplications or unchecked chunk length in the snappy-java library versions < 1.1.10.1 may lead to fatal memory access violations or memory exhaustion leading to a process termination. The issue was partially resolved in 1.1.10.3, however the snappy-java library could still allocate excessive amounts of memory leading to potential impact to availability of underlying deployments. Processing of malformed inputs could lead to Denial of Service (DoS) conditions that could have adverse impact on the availability of Confluent Platform and Confluent Cloud components.
Based on our analysis, this likelihood of a successful exploitation of this vulnerability in Confluent Platform deployments is extremely low because of the following reasons:
- If the requested allocated memory is greater than the max heap size, the JVM will error out before allocation of the claimed memory bytes.
- If the requested allocated memory is less than the max heap size, the broker will still not crash as the call flow in Snappy-Java will error out, as it will be expecting the actual request to be populated in memory as claimed in the malformed compressed inputs to snappy-java. This will prevent the broker from crashing unless the customer’s JVM has a custom configured property CrashOnOutOfMemoryError or ExitOnOutOfMemoryError flag configured.
Remediation
This issue is resolved in the CP patch release versions 7.5.2, 7.4.3, 7.3.6, 7.2.8, 7.1.10, 7.0.12, 6.2.13, 6.1.14 and Confluent Cloud managed clusters are already patched. These fixes adequately address this issue by updating the vulnerable library snappy-java to version 1.1.10.4.
We encourage our customers to follow the guidance below as it relates to securing the deployment of Confluent Platform to further reduce the impact of this issue in case an upgrade is immediately not possible:
- Ensure that the Confluent Platform deployments are adequately protected behind network restrictions and only accessible to authorized users.
- Ensure that the underlying JVM for CP deployments is not custom configured with the CrashOnOutOfMemoryError or ExitOnOutOfMemoryError options.