Potential secutiry vulnerability in the C library may invoked by Java code of enos-mqtt. Could you help upgrade the vulnerble dependency?

Question

Potential secutiry vulnerability in the C library may invoked by Java code of enos-mqtt. Could you help upgrade the vulnerble dependency?

Opened this issue 2 years ago · 0 comments

Hi, @jieyuan-shen, @charleshuangcai , I'd like to report a vulnerability issue in com.envisioniot:enos-mqtt:2.2.15.

Issue Description

I noticed that com.envisioniot:enos-mqtt:2.2.15 directly depends on org.lz4:lz4-java:1.6.0. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing a high severity CVE: CVE-2019-17543.

Dependency Graph between Java and Shared Libraries

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, the following LZ4-JNI interfaces(Java code): LZ4JNIFastDecompressor::decompress(), LZ4JNISafeDecompressor::decompress(), LZ4JNICompressor::compress() can reach the vulnerable method(C code) LZ4_write32() reported by CVE-2019-17543.

call chain----
LZ4JNISafeDecompressor::decompress() -> LZ4_decompress_safe() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNIFastDecompressor::decompress() -> LZ4_decompress_fast() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNICompressor::compress() -> LZ4_compress_limitedOutput() -> LZ4_compress_default -> LZ4_compress_fast -> LZ4_compress_fast_extState() -> LZ4_compress_generic() -> LZ4_write32()

Suggested Vulnerability Patch Versions

org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded this vulnerable C library to the patch version.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~
Best regards,
Helen Parr