[jira] [Commented] (KAFKA-19951) switch lz4-java to at.yawk.lz4 version due to CVE

Tue, 02 Dec 2025 10:10:04 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-19951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042269#comment-18042269
 ] 

Gaurav Narula commented on KAFKA-19951:
---------------------------------------

[~mimaison] 
[https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183#h.npq9cnryj03m]
 sheds more information.

 
{quote}lz4-java provides a matrix of compression and decompression algorithms:
 * A JNI-based implementation based on the lz4 library 
(LZ4Factory.nativeInstance(), LZ4Factory.fastestInstance())

 * A Java implementation using the deprecated sun.misc.Unsafe API 
(LZ4Factory.unsafeInstance(), LZ4Factory.fastestInstance(), 
LZ4Factory.fastestJavaInstance())

 * A Java implementation without sun.misc.Unsafe (LZ4Factory.safeInstance())

 

Each of these variants has:
 * A "fast" decompressor

 * A "safe" decompressor

 * Compressors for various compression levels

 

The JNI "fast" decompressor is based on the LZ4_decompress_fast API of the lz4 
C library. This function is deprecated because it lacks bounds checks and is 
insecure on untrusted input. Other JNI-based APIs (the safe decompressor and 
the compressors) are not vulnerable.

All Java-based implementations lack sufficient bounds checks. For the 
sun.misc.Unsafe-based implementations, this can lead to denial of service and 
information disclosure. For the normal Java implementations, this only leads to 
ArrayIndexOutOfBoundsExceptions and is not a vulnerability.
{quote}
 

Kafka uses: 
{{/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java:
 private static final LZ4SafeDecompressor DECOMPRESSOR = 
LZ4Factory.fastestInstance().safeDecompressor();}}

which I reckon is the Java implementation possibly returning the implementation 
backed by {{sun.misc.Unsafe}} API and is therefore vulnerable. I'd appreciate a 
second opinion as well though.

 

 

 

> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
>                 Key: KAFKA-19951
>                 URL: https://issues.apache.org/jira/browse/KAFKA-19951
>             Project: Kafka
>          Issue Type: Bug
>          Components: compression
>            Reporter: PJ Fanning
>            Priority: Major
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fkafka%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to