CVE-2023-34453

Summary

CVE-2023-34453 is a vulnerability affecting snappy-java, a fast compressor/decompressor for Java. Versions prior to 1.1.10.1 contain an integer overflow issue in the `shuffle` function of `BitShuffle.java`. This function, which receives an array of integers and applies a bit shuffle, multiplies the array length by 4 to pass it to a natively compiled shuffle function. However, the length is not tested, leading to potential integer overflows. If the result is negative, a `java.lang.NegativeArraySizeException` exception is raised, potentially crashing the program. If the result is zero or too small, the code assumes a larger array size, causing exceptions like `java.lang.ArrayIndexOutOfBoundsException`. The same issue occurs with `shuffle` functions that receive doubles, floats, longs, and shorts, each using a different multiplier. Version 1.1.10.1 includes a patch for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.