[jira] [Updated] (KAFKA-17301) lz4-java is not maintained anymore

Tue, 27 May 2025 01:22:18 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-17301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mickael Maison updated KAFKA-17301:
-----------------------------------
    Description: 
lz4-java has not made a release since June 2021. It still depends on lz4 1.9.3 
which has a critical (however it does not seem exploitable in our case) CVE: 
[CVE-2021-3520|https://nvd.nist.gov/vuln/detail/CVE-2021-3520].

Looking at the fix in lz4 
(https://github.com/lz4/lz4/commit/7a966c1511816b53ac93aa2f2a2ff97e036a4a60), 
it now ensures that outputSize is not negative. 

The Kafka code that reaches this logic is 
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java#L185-L186.
The outputSize argument in the lz4 logic comes from blockSize in 
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java#L185-L186.
 Just above we ensure blockSize is positive by anding it with the 2 complement 
of LZ4_FRAME_INCOMPRESSIBLE_MASK which is Integer.MIN_VALUE, so even if we read 
a negative block size it's forced to a positive value.




  was:
lz4-java has not made a release since June 2021. It still depends on lz4 1.9.3 
which has a critical (however it does not seem exploitable in our case) CVE: 
[CVE-2021-3520|https://nvd.nist.gov/vuln/detail/CVE-2021-3520].




> lz4-java is not maintained anymore
> ----------------------------------
>
>                 Key: KAFKA-17301
>                 URL: https://issues.apache.org/jira/browse/KAFKA-17301
>             Project: Kafka
>          Issue Type: Task
>            Reporter: Mickael Maison
>            Priority: Major
>
> lz4-java has not made a release since June 2021. It still depends on lz4 
> 1.9.3 which has a critical (however it does not seem exploitable in our case) 
> CVE: [CVE-2021-3520|https://nvd.nist.gov/vuln/detail/CVE-2021-3520].
> Looking at the fix in lz4 
> (https://github.com/lz4/lz4/commit/7a966c1511816b53ac93aa2f2a2ff97e036a4a60), 
> it now ensures that outputSize is not negative. 
> The Kafka code that reaches this logic is 
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java#L185-L186.
> The outputSize argument in the lz4 logic comes from blockSize in 
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java#L185-L186.
>  Just above we ensure blockSize is positive by anding it with the 2 
> complement of LZ4_FRAME_INCOMPRESSIBLE_MASK which is Integer.MIN_VALUE, so 
> even if we read a negative block size it's forced to a positive value.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to