Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-6237

[KAFKA] determine if kafka is vulnerable to CVE-2021-3520 in lz4

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • None
    • False

      It looks like lz4-java is abandoned. There has not been a new release in 3 years: https://github.com/lz4/lz4-java
      It is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2021-3520. This CVE is fixed in lz4 1.9.4 but the latest lz4-java (1.8.0) still uses lz4 1.9.3. It looks like master has been bumped to use 1.9.4 but it's not in a lz4-java release.

       

      so we need to determine if we're vulnerable (and also why isn't snyk picking this up!!)

      and also why we marked it as fixed in AMQ Streams 2.1
      https://access.redhat.com/errata/RHSA-2022:1345

              Unassigned Unassigned
              lukchen@redhat.com Luke Chen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: