lz4-java-1.7.1.jar is identified as Vulnerable dependency on Dependency Check

[wxue6]

Our project is currently using lz4-java-1.7.1.jar. However it is identified as Vulnerable dependency on Dependency Check. Can you please advise how to resolve it? Thanks.

Identifiers pkg:maven/org.lz4/lz4-java@1.7.1 (Confidence:Highest) cpe:2.3:a:lz4_project:lz4:1.7.1:::::::* (Confidence:Low)

Published Vulnerabilities CVE-2019-17543

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVSSv2: Base Score: MEDIUM (6.8) Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P CVSSv3: Base Score: HIGH (8.1) Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References: MISC - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 MISC - https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2 MISC - https://github.com/lz4/lz4/issues/801 MISC - https://github.com/lz4/lz4/pull/756 MISC - https://github.com/lz4/lz4/pull/760 MISC - https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26@%3Cissues.kudu.apache.org%3E MLIST - [arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543 MLIST - [arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 MLIST - [arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543 MLIST - [arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 MLIST - [arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 MLIST - [arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 MLIST - [kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu MLIST - [kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu SUSE - openSUSE-SU-2019:2398 SUSE - openSUSE-SU-2019:2399 Vulnerable Software & Versions:

cpe:2.3:a:lz4_project:lz4:::::::: versions up to (excluding) 1.9.2

[odaira]

lz4-java 1.7.1 is based on lz4 1.9.2.

[wxue6]

Hi Rei,

Thanks for your reply. It seems net.jpountz.lz4 has moved to org.lz4.lz4-java. and the latest version is 1.7.1. My issue is that it has vulnerability on Dependency Check report (which I showed details on my last email). I am working on resolving all vulnerable dependency. Your team is the owner of the jar. Can you please verify whether your jar has vulnerability?

Thanks, Wei

On Oct 13, 2020, at 3:36 PM, Rei Odaira notifications@github.com wrote:

lz4-java 1.7.1 is based on lz4 1.9.2.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lz4/lz4-java/issues/170#issuecomment-708046665, or unsubscribe https://github.com/notifications/unsubscribe-auth/APK4AXDYAEP4ZVTNCK7WNOLSKTJANANCNFSM4SPX5OCQ.

[odaira]

It must be a false positive. lz4-java 1.7.1 is based on lz4 1.9.2, which includes a fix to CVE-2019-17543. I have never used the dependency check, but what would you want me to do?

[wxue6]

Hi Rei,

On the Dependency Check, It shows the following for lz4-java-1.7.1

Published Vulnerabilities, CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

As you mentioned lz4-java 1.7.1 is based on lz4 1.9.2 which includes a fix to CVE-2019-17543, then it should not list as vulnerable due to CVE-2019-17543.

Here is how we apply the Dependency check. Build script { dependencies { classpath 'org.owasp:dependency-check-gradle:5.3.2.1’ } }

apply plugin: 'org.owasp.dependencycheck'

Can you please check? If it shows the same, and you think it is false positive. Can you please report it to jeremy.long@owasp.org mailto:jeremy.long@owasp.org which is Dependency Check contact?

Thanks a lot,

Wei

On Oct 13, 2020, at 4:05 PM, Rei Odaira notifications@github.com wrote:

It must be a false positive. lz4-java 1.7.1 is based on lz4 1.9.2, which includes a fix to CVE-2019-17543. I have never used the dependency check, but what would you want me to do?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lz4/lz4-java/issues/170#issuecomment-708056360, or unsubscribe https://github.com/notifications/unsubscribe-auth/APK4AXFYFGXME4MQ7BOTTKTSKTMLPANCNFSM4SPX5OCQ.

[odaira]

If you think the false positive is worth reporting, please do so yourself. If they ask for any evidence, you can refer them to my comment above. Or do they accept a report only from the author of the library?

[wxue6]

Hi Rei,

I don’t know whether they accept a report only from the author of the library or not. But I do think it will be more convincing that the author of the library reports it.

I can report it as well.

Thanks,

Wei

On Oct 13, 2020, at 8:51 PM, Rei Odaira notifications@github.com wrote:

If you think the false positive is worth reporting, please do so yourself. If they ask for any evidence, you can refer them to my comment above. Or do they accept a report only from the author of the library?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lz4/lz4-java/issues/170#issuecomment-708139279, or unsubscribe https://github.com/notifications/unsubscribe-auth/APK4AXB7KSGS6RYCX7LPG2LSKUN3XANCNFSM4SPX5OCQ.

[tcullum-rh]

Hi Rei, I don’t know whether they accept a report only from the author of the library or not. But I do think it will be more convincing that the author of the library reports it. I can report it as well. Thanks, Wei … On Oct 13, 2020, at 8:51 PM, Rei Odaira @.***> wrote: If you think the false positive is worth reporting, please do so yourself. If they ask for any evidence, you can refer them to my comment above. Or do they accept a report only from the author of the library? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#170 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APK4AXB7KSGS6RYCX7LPG2LSKUN3XANCNFSM4SPX5OCQ.

https://github.com/lz4/lz4-java/blob/8c23c97485e96df4b6b120872a8d93a06293520c/.travis.yml shows 1.9.2... So this vuln doesn't affect lz4-java. That's a false positive on the part of the scanner. It probably looks for "lz4" plus "1.7.1" and determines that this must be vulnerable because the two substrings exist, as 1.7.1 is below 1.9.2, but it doesn't realize they are two separate projects and actually only lz4 v1.9.2 is used.

[odaira]

Would you still need any help for this?

[odaira]

Closing this. Please reopen it if you think I should further work on it.