Potential security vulnerabilities in the C libraries.Can you help upgrade to patch versions?

[HelenParr]

Hi, @coolbeevip , @WillemJiang , I'd like to report a vulnerability issue in org.apache.servicecomb.pack:alpha-server:0.6.0.

Issue Description

org.apache.servicecomb.pack:alpha-server:0.6.0 directly or transitively depends on 55 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

libzstd-jni.so from C project zstd(version:1.3.7) exposed 2 vulnerabilities: CVE-2021-24031, CVE-2019-11922 liblz4-java.so from C project lz4(version:1.8.3) exposed 2 vulnerabilities: CVE-2021-3520, CVE-2019-17543

Suggested Vulnerability Patch Versions

zstd has fixed the vulnerabilities in versions >=1.4.9 lz4 has fixed the vulnerabilities in versions >=1.9.2

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

[WillemJiang]

Thanks for report it, we need to figure out which third party dependencies introduced the C libraries which need to upgrade. Could you share us some information how can you identify the C libraries dependencies?

[WillemJiang]

I just checked the dependency of alpha server , the C libraries issue is introduced by the kafka client. org.apache.kafka:kafka-clients:jar:2.5.1:compile [INFO] +- com.github.luben:zstd-jni:jar:1.4.4-7:compile [INFO] +- org.lz4:lz4-java:jar:1.7.1:compile

We need to consider to upgrade the kafka clients version.

[WillemJiang]

https://issues.apache.org/jira/browse/SCB-2459 Merged the patch into master branch.