Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential secutiry vulnerability in the C library may invoked by Java code of JPPF. Could you help upgrade the vulnerble dependency? #39

Open
HelenParr opened this issue Apr 9, 2022 · 3 comments
Open

Potential secutiry vulnerability in the C library may invoked by Java code of JPPF. Could you help upgrade the vulnerble dependency? #39

HelenParr opened this issue Apr 9, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@HelenParr
Copy link

Hi, @lolocohen, I'd like to report a vulnerability issue in org.jppf:jppf-common:6.3-alpha.

Issue Description

I noticed that org.jppf:jppf-common:6.3-alpha directly depends on org.lz4:lz4-java:1.6.0. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing a high severity CVE: CVE-2019-17543.

Dependency Graph between Java and Shared Libraries

image

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, the following LZ4-JNI interfaces(Java code): LZ4JNIFastDecompressor::decompress(), LZ4JNISafeDecompressor::decompress(), LZ4JNICompressor::compress() can reach the vulnerable method(C code) LZ4_write32() reported by CVE-2019-17543.

call chain----
LZ4JNISafeDecompressor::decompress() -> LZ4_decompress_safe() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNIFastDecompressor::decompress() -> LZ4_decompress_fast() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNICompressor::compress() -> LZ4_compress_limitedOutput() -> LZ4_compress_default -> LZ4_compress_fast -> LZ4_compress_fast_extState() -> LZ4_compress_generic() -> LZ4_write32()

Suggested Vulnerability Patch Versions

org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded this vulnerable C library lz4 to the patch version 1.9.2.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~
Best regards,
Helen Parr
@HelenParr HelenParr added the bug Something isn't working label Apr 9, 2022
@PetitMote
Copy link

Hello there @HelenParr

I’m sorry you never got any response. Sadly, my uncle, @lolocohen left us in 2022. We tried getting access to the project, but GitHub couldn’t respond to our demand and we were never able to make an announcement.

As JPPF was important to him, we would have loved for it to find a new maintainer. Feel free to fork it an make it your own if you wish

Best regards
Timothée

@borisklug
Copy link

Oh!

I am so sorry to hear that. Am am very sorry for your loss. We still use JPPF in our jobs for distributed calculations.

Hope you can gain access to github but also to the domain jppf.org. It would be nice to have jppf.org working again. If you need some help for it, just send me a message.

@PetitMote
Copy link

Thanks @borisklug

jppf.org is still reserved, I’ll try contacting the hoster and see if they can do something. Getting the complete host back would be best as we don’t have any save of the website. Looking back at it now, I remember it was me who recommended that hoster to him…

As for GitHub, we could try again, but I doubt it’ll change anything. And I don’t think I know anyone working there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@borisklug @PetitMote @HelenParr