CVE-2023-34455: 
Java vulnerability analysis and mitigation

CVE-2023-34455 affects snappy-java, a fast compressor/decompressor for Java, in versions prior to 1.1.10.1. The vulnerability was discovered by Ori Hollander of the JFrog Security Research Team and disclosed on June 14, 2023. The issue exists in the hasNextChunk function within fileSnappyInputStream.java, where an unchecked chunk length can lead to an unrecoverable fatal error (GitHub Advisory).

The vulnerability occurs in the hasNextChunk function where the code attempts to read 4 bytes and treats them as the length of the next chunk without properly validating the input. When the 'compressed' variable is null, a byte array is allocated with the size given by the input data. Due to the lack of validation on the 'chunkSize' variable, it's possible to pass a negative number (such as 0xFFFFFFFF which is -1) or a large positive value (such as 0x7FFFFFFF). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. When exploited, the vulnerability can cause either a java.lang.NegativeArraySizeException exception or a fatal java.lang.OutOfMemoryError, making the application unresponsive (GitHub Advisory, NetApp Advisory).

The vulnerability has been patched in snappy-java version 1.1.10.1. Users are strongly recommended to upgrade to this version or later. The fix includes proper validation of chunk sizes before allocation attempts (GitHub Advisory).