search

jppf-grid / JPPF

The open source grid computing solution
https://www.jppf.org
Apache License 2.0
64 stars 12 forks source link

Potential secutiry vulnerability in the C library may invoked by Java code of JPPF. Could you help upgrade the vulnerble dependency? #39

Open HelenParr opened 2 years ago

HelenParr commented 2 years ago

Hi, @lolocohen, I'd like to report a vulnerability issue in org.jppf:jppf-common:6.3-alpha.

Issue Description

I noticed that org.jppf:jppf-common:6.3-alpha directly depends on org.lz4:lz4-java:1.6.0. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing a high severity CVE: CVE-2019-17543.

Dependency Graph between Java and Shared Libraries

image

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, the following LZ4-JNI interfaces(Java code): LZ4JNIFastDecompressor::decompress(), LZ4JNISafeDecompressor::decompress(), LZ4JNICompressor::compress() can reach the vulnerable method(C code) LZ4_write32() reported by CVE-2019-17543. 

call chain----
LZ4JNISafeDecompressor::decompress() -> LZ4_decompress_safe() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNIFastDecompressor::decompress() -> LZ4_decompress_fast() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNICompressor::compress() -> LZ4_compress_limitedOutput() -> LZ4_compress_default -> LZ4_compress_fast -> LZ4_compress_fast_extState() -> LZ4_compress_generic() -> LZ4_write32()

Suggested Vulnerability Patch Versions

org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded this vulnerable C library lz4 to the patch version 1.9.2.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

PetitMote commented 1 month ago

Hello there @HelenParr

I’m sorry you never got any response. Sadly, my uncle, @lolocohen left us in 2022. We tried getting access to the project, but GitHub couldn’t respond to our demand and we were never able to make an announcement.

As JPPF was important to him, we would have loved for it to find a new maintainer. Feel free to fork it an make it your own if you wish

Best regards Timothée

borisklug commented 1 month ago

Oh!

I am so sorry to hear that. Am am very sorry for your loss. We still use JPPF in our jobs for distributed calculations.

Hope you can gain access to github but also to the domain jppf.org. It would be nice to have jppf.org working again. If you need some help for it, just send me a message.

PetitMote commented 1 month ago

Thanks @borisklug

jppf.org is still reserved, I’ll try contacting the hoster and see if they can do something. Getting the complete host back would be best as we don’t have any save of the website. Looking back at it now, I remember it was me who recommended that hoster to him…

As for GitHub, we could try again, but I doubt it’ll change anything. And I don’t think I know anyone working there.