snappy-java Vulnerable to Denial-of-Service (DoS) due to Improper Input Validation in File 'SnappyInputStream.java'

Brocade SANnav

0 more products

25413

13 February 2025

13 February 2025

CLOSED

LOW

7.5 -- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-34455

Brocade Security Advisory ID

 BSA-2025-2392

Component

 kafka

 

 

Summary 

In snappy-java the stream chunk processing implementation uses a user controlled value to define the size of an allocated array. A remote attacker may abuse this by creating a crafted input stream that causes an extremely large array to be allocated, or a negative array size to be used. Both cases result in an exception being thrown and result in denial-of-service (DoS).

 

Products Affected

No Brocade products are affected

 

Products Not Affected

Brocade FabricOS
[VEX Justification: Vulnerable_code_not_present]

Brocade SANnav
[VEX Justification: Vulnerable_code_not_in_execute_path]

Brocade ASCG
[VEX Justification: Vulnerable_code_not_in_execute_path]

 

Solution

While not exploitable, Security update provided in SANnav 2.3.1 and 2.4.0

 

Revision History

Version

Change

Date

1.0

Initial Publication

 February 13, 2025

 

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.