CVE-2023-43642: 
Apache Cassandra vulnerability analysis and mitigation

The vulnerability (CVE-2023-43642) affects snappy-java, a Java port of Google's snappy compression/decompression library. The vulnerability was discovered in September 2023 and affects all versions up to and including 1.1.10.3. The SnappyInputStream component was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size (GitHub Advisory, NVD).

The vulnerability stems from a missing upper bound check on chunk length in the SnappyInputStream component. When processing compressed data with an excessively large chunk size, such as 0x7FFFFFFF (2,147,483,647 in decimal), the application attempts to allocate an inappropriate number of bytes on the heap, which can trigger a java.lang.OutOfMemoryError exception. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low complexity and requires no privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is a potential Denial of Service (DoS) condition, particularly severe when ExitOnOutOfMemoryError or CrashOnOutOfMemoryError is configured on the JVM. The vulnerability can cause an unrecoverable fatal error, affecting the availability of applications dependent on snappy-java for compression/decompression operations (GitHub Advisory).

The vulnerability has been fixed in version 1.1.10.4 through commit 9f8c3cf74. Users are strongly advised to upgrade to this version or later. For users unable to upgrade immediately, it is recommended to only accept compressed data from trusted sources (NVD, GitHub Advisory).