CVE-2023-34454: 
Java vulnerability analysis and mitigation

CVE-2023-34454 affects snappy-java, a fast compressor/decompressor for Java, in versions prior to 1.1.10.1. The vulnerability was discovered by Ori Hollander of the JFrog Security Research Team and disclosed on June 14, 2023. The issue involves an integer overflow vulnerability in the compression functionality that could lead to a denial of service condition (GitHub Advisory, NVD).

The vulnerability occurs in the compress() function when handling various data types (char, double, float, int, long, and short arrays). Due to unchecked multiplications of array lengths with their respective byte sizes, an integer overflow can occur, resulting in a negative value. When this negative value is passed to the maxCompressedLength function, which treats it as an unsigned integer, it can either cause a java.lang.NegativeArraySizeException or allocate an incorrectly sized buffer leading to a fatal Access Violation error (GitHub Advisory).

The vulnerability can result in a Denial of Service (DoS) condition. When exploited, it can cause either an unrecoverable fatal error or throw a NegativeArraySizeException, effectively crashing the application. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NVD and 5.9 MEDIUM by GitHub (NVD).

The vulnerability has been patched in version 1.1.10.1 of snappy-java. Users should upgrade to this version or later to mitigate the risk. The fix includes adding checks for integer overflow before performing the multiplication operations (GitHub Advisory).

The vulnerability has been acknowledged and patched by multiple organizations. Red Hat has included fixes for this vulnerability in their products, including Red Hat AMQ Streams 2.5.0 and Red Hat build of Quarkus 2.13.9 (Red Hat Advisory). Atlassian has also acknowledged this vulnerability in their January 2024 Security Bulletin for affected products (Atlassian Bulletin).