|
| 1 | +Fix CVE-2024-36114 |
| 2 | +see https://github.com/stackabletech/vulnerabilities/issues/834 |
| 3 | + |
| 4 | +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and |
| 5 | +Zstandard compression algorithms to Java. All decompressor |
| 6 | +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash |
| 7 | +the JVM for certain input, and in some cases also leak the content of |
| 8 | +other memory of the Java process (which could contain sensitive |
| 9 | +information). When decompressing certain data, the decompressors try to |
| 10 | +access memory outside the bounds of the given byte arrays or byte |
| 11 | +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to |
| 12 | +speed up memory access, no additional bounds checks are performed and |
| 13 | +this has similar security consequences as out-of-bounds access in C or |
| 14 | +C++, namely it can lead to non-deterministic behavior or crash the JVM. |
| 15 | +Users should update to Aircompressor 0.27 or newer where these issues |
| 16 | +have been fixed. When decompressing data from untrusted users, this can |
| 17 | +be exploited for a denial-of-service attack by crashing the JVM, or to |
| 18 | +leak other sensitive information from the Java process. There are no |
| 19 | +known workarounds for this issue. |
| 20 | + |
| 21 | +diff --git a/pom.xml b/pom.xml |
| 22 | +index c0f06547f8..f1c6e2f9ee 100644 |
| 23 | +--- a/pom.xml |
| 24 | ++++ b/pom.xml |
| 25 | +@@ -258,6 +258,12 @@ |
| 26 | + |
| 27 | + <dependencyManagement> |
| 28 | + <dependencies> |
| 29 | ++ <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 --> |
| 30 | ++ <dependency> |
| 31 | ++ <groupId>io.airlift</groupId> |
| 32 | ++ <artifactId>aircompressor</artifactId> |
| 33 | ++ <version>0.27</version> |
| 34 | ++ </dependency> |
| 35 | + <!-- Compile Scope --> |
| 36 | + <dependency> |
| 37 | + <groupId>commons-codec</groupId> |
0 commit comments