lz4-java-1.7.1.jar is identified as Vulnerable dependency on Dependency Check
wxue6 opened this issue · 9 comments
Our project is currently using lz4-java-1.7.1.jar. However it is identified as Vulnerable dependency on Dependency Check.
Can you please advise how to resolve it? Thanks.
Identifiers
pkg:maven/org.lz4/lz4-java@1.7.1 (Confidence:Highest)
cpe:2.3:a:lz4_project:lz4:1.7.1:::::::* (Confidence:Low)
Published Vulnerabilities
CVE-2019-17543
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
MISC - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
MISC - lz4/lz4@v1.9.1...v1.9.2
MISC - lz4/lz4#801
MISC - lz4/lz4#756
MISC - lz4/lz4#760
MISC - https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26@%3Cissues.kudu.apache.org%3E
MLIST - [arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543
MLIST - [arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
MLIST - [arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543
MLIST - [arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
MLIST - [arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
MLIST - [arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
MLIST - [kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu
MLIST - [kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu
SUSE - openSUSE-SU-2019:2398
SUSE - openSUSE-SU-2019:2399
Vulnerable Software & Versions:
cpe:2.3:a:lz4_project:lz4:::::::: versions up to (excluding) 1.9.2
lz4-java 1.7.1 is based on lz4 1.9.2.
It must be a false positive. lz4-java 1.7.1 is based on lz4 1.9.2, which includes a fix to CVE-2019-17543. I have never used the dependency check, but what would you want me to do?
If you think the false positive is worth reporting, please do so yourself. If they ask for any evidence, you can refer them to my comment above. Or do they accept a report only from the author of the library?
Hi Rei, I don’t know whether they accept a report only from the author of the library or not. But I do think it will be more convincing that the author of the library reports it. I can report it as well. Thanks, Wei
…
On Oct 13, 2020, at 8:51 PM, Rei Odaira @.***> wrote: If you think the false positive is worth reporting, please do so yourself. If they ask for any evidence, you can refer them to my comment above. Or do they accept a report only from the author of the library? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#170 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APK4AXB7KSGS6RYCX7LPG2LSKUN3XANCNFSM4SPX5OCQ.
https://github.com/lz4/lz4-java/blob/8c23c97485e96df4b6b120872a8d93a06293520c/.travis.yml shows 1.9.2... So this vuln doesn't affect lz4-java. That's a false positive on the part of the scanner. It probably looks for "lz4" plus "1.7.1" and determines that this must be vulnerable because the two substrings exist, as 1.7.1 is below 1.9.2, but it doesn't realize they are two separate projects and actually only lz4 v1.9.2 is used.
Would you still need any help for this?
Closing this. Please reopen it if you think I should further work on it.