[
https://issues.apache.org/jira/browse/KAFKA-19951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042357#comment-18042357
]
PJ Fanning edited comment on KAFKA-19951 at 12/3/25 1:10 AM:
-------------------------------------------------------------
So if you use safeDecompressor on Linux, you can be pretty sure lz4 is
installed by default so JNI will be used to use the native lz4 installation.
With Windows, lz4 is not installed by default. So safeDecompressor can return
an instance that uses sun.misc.Unsafe and lz4-java has inadequate bounds
checking. This is exactly why there is a CVE for this.
So my assessment is Kafka pretty safe on Linux and very possibly/probably at
risk on Windows.
was (Author: fanningpj):
So if you use safeDecompressor on Linux, you can be pretty sure lz4 is
installed by default so JNI will be used to use the native install.
With Windows, lz4 is not installed by default. So safeDecompressor can return
an instance that uses sun.misc.Unsafe and lz4-java has inadequate bounds
checking. This is exactly why there is a CVE for this.
So my assessment is Kafka pretty safe on Linux and very possibly/probably at
risk on Windows.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: KAFKA-19951
> URL: https://issues.apache.org/jira/browse/KAFKA-19951
> Project: Kafka
> Issue Type: Bug
> Components: compression
> Reporter: PJ Fanning
> Priority: Major
> Fix For: 3.9.2, 4.2.0, 4.0.2, 4.1.2
>
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fkafka%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
