rmoff opened a new issue, #15378: URL: https://github.com/apache/iceberg/issues/15378
> [!NOTE] > This analysis was performed with the assistance of Claude Opus 4.6 (Anthropic). Findings should be independently verified. ## Summary The Kafka Connect runtime distribution includes `io.airlift:aircompressor:2.0.2` which is affected by [CVE-2025-67721](https://nvd.nist.gov/vuln/detail/CVE-2025-67721) (HIGH severity). The vulnerability is in the Java-based Snappy and LZ4 decompressor implementations, where incorrect handling of malformed compressed data can leak previous buffer contents via crafted input. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. ## Reproducing Build the Kafka Connect runtime distribution and scan with Trivy: ```bash # Build from the 1.10.x branch ./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip -x test -x integrationTest # Unzip the distribution unzip -q kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-1.10.0.zip -d /tmp/iceberg-kc-scan # Scan with Trivy (use rootfs mode for standalone JAR detection) trivy rootfs /tmp/iceberg-kc-scan/iceberg-kafka-connect-runtime-1.10.0/lib/ -s HIGH,CRITICAL --scanners vuln ``` Trivy output: ``` aircompressor-2.0.2.jar (jar) CVE-2025-67721: io.airlift:aircompressor 2.0.2 (HIGH) ``` This was also found during Confluent Hub partner plugin validation, blocking publication of the connector. ## Analysis The fix for this CVE is in [aircompressor-v3 version 3.4](https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg), but migrating to it is not currently feasible for the following reasons: 1. **Different Maven artifact ID**: The fixed version uses `io.airlift:aircompressor-v3` (not `io.airlift:aircompressor`) 2. **Different Java package namespace**: Classes moved from `io.airlift.compress.*` to `io.airlift.compress.v3.*`, making it binary-incompatible 3. **Java 22+ requirement**: `aircompressor-v3` requires Java 22, while Iceberg targets Java 11/17 4. **No 2.x backport**: There is no patched release of the original `io.airlift:aircompressor` artifact — latest is 2.0.2, and the `release-2.x` branch has not received the fix commits ### Dependency chain `aircompressor:2.0.2` is pulled in transitively by: - `iceberg-core` → direct dependency on `io.airlift:aircompressor:0.27` (resolved to 2.0.2) - `iceberg-parquet` → `parquet-hadoop:1.17.0` → `aircompressor:2.0.2` - `iceberg-orc` → `orc-core:1.9.8` → `aircompressor:0.27` (resolved to 2.0.2) ### Fix commits (on aircompressor master/v3 only) - https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15 - https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765 ## Possible solutions 1. **Request upstream backport**: Ask airlift to backport the fix to the `release-2.x` branch and publish a 2.0.3 release. This would allow a simple `force` override in the Kafka Connect build, matching the existing pattern for other CVE fixes. 2. **Vendor a patched aircompressor**: Fork aircompressor 2.0.2, apply the two fix commits, and publish a patched artifact. This is maintainable short-term but adds ongoing maintenance burden. 3. **Wait for upstream migration**: Apache Parquet and Apache ORC would need to migrate to `aircompressor-v3`, which requires them to also adopt Java 22+. This is a longer-term solution. ## References - Advisory: https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg - Fix PR: https://github.com/airlift/aircompressor/pull/309 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-67721 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
