Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Upgrade org.iq80.snappy from 0.4 to 0.5

Description

Suggested Release Notes: N/A. No user-visible changes

 

We're upgrading to 0.5 because it fixes a bug that could lead to a JVM crash when decompressing invalid input. This crash is extremely unlikely to occur in the Couchbase SDK because Couchbase Server validates compressed documents, and refuses to store malformed compressed documents. However, we still want to upgrade to avoid even the slightest theoretical chance of a JVM crash (if for example the document got corrupted in transit from server to client). Upgrading also pacifies everyone's vulnerability scanners

One complication is that version 0.5 removed compatibility with big-endian hardware and with JVMs where `sun.misc.Unsafe` is inaccessible (perhaps due to a restrictive security context).

To preserve the ability to use compression in all cases, we are repackaging the safe "slow path" code from version 0.4. The SDK will decide at runtime whether it should use version 0.5 or fall back to the repackaged slow path from 0.4.

There is no change from the user's perspective. This is exactly the same fallback behavior we used to get from the official distribution of version 0.4. The only different is that on little-endian systems that can access `sun.misc.Unsafe`, version 0.5 does better bounds checking to prevent potential JVM crashes.

Environment

None

Gerrit Reviews

None

Release Notes Description

None

Activity

Show:

Ray Cardillo July 16, 2024 at 1:26 PM

Added the `security` and `cve` labels in reference to CVE-2024-36124 that was reported in .

Ray Cardillo June 14, 2024 at 9:38 PM

Just to confirm, I presented the new approach to and and no objections. This is the best of both worlds. Thanks.

David Nault June 13, 2024 at 7:54 PM

I updated the issue description to reflect the new plan that lets us upgrade while preserving the ability to use compression in all environments.

Ray Cardillo June 11, 2024 at 6:31 PM
Edited

As discussed, let's defer this and review later because we need to be sure PM (and users) are going to be okay with the consequences of this change.

cc:

David Nault June 10, 2024 at 6:59 PM

This was prompted by https://github.com/advisories/GHSA-8wh2-6qhj-h7j9

When the org.iq80.snappy library (version < 0.5) attempts to decompress malformed input, it can cause a JVM crash. This is not as bad as it might seem, since the Couchbase JVM SDKs only attempt to decompress data received from Couchbase Server,  and the server ensures all Snappy-compressed documents are well-formed before storing them. In other words, it's not possible for a malicious actor to crash a JVM by storing a malformed document in Couchbase, because the server refuses to store malformed Snappy-compressed documents.

However, we still want to rule out even the remotest possibility that the SDK will cause a JVM crash.

Another reason to make this change is that org.iq80.snappy is no longer maintained. The successor project by the same authors also requires little-endian hardware and access to sun.misc.unsafe, so this is a limitation we'd need to accept sooner or later in any case.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Story Points

Fix versions

Priority

Instabug

Open Instabug

PagerDuty

Sentry

Zendesk Support

Created June 10, 2024 at 6:28 PM
Updated October 7, 2024 at 5:17 PM
Resolved July 16, 2024 at 1:26 PM
Instabug