[
https://issues.apache.org/jira/browse/KAFKA-20043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050340#comment-18050340
]
Chia-Ping Tsai commented on KAFKA-20043:
----------------------------------------
KAFKA-19951 has already updated the lz4 to 1.10.1. see
[https://github.com/apache/kafka/pull/21035]";
> Kafka-clients is vulnerable due to CVE-2025-12183, CVE-2025-66566
> -----------------------------------------------------------------
>
> Key: KAFKA-20043
> URL: https://issues.apache.org/jira/browse/KAFKA-20043
> Project: Kafka
> Issue Type: Bug
> Reporter: Jiyoung Lee
> Priority: Major
>
> Kafka-clients references `lz4-java` that needs to be updated due to
> vulnerability issues
> `lz4-java` has to be 1.10.1 or higher to resolve the issue.
> h2. yawkat LZ4 Java has a possible information leak in Java safe decompressor
> h2. Description
> Insufficient clearing of the output buffer in Java-based decompressor
> implementations in lz4-java 1.10.0 and earlier allows remote attackers to
> read previous buffer contents via crafted compressed input. In applications
> where the output buffer is reused without being cleared, this may lead to
> disclosure of sensitive data.
> JNI-based implementations are _not_ affected.
> h2. LZ4 Java Compression has Out-of-bounds memory operations which can cause
> DoS
> h2. Description
> Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow
> remote attackers to cause denial of service and read adjacent memory via
> untrusted compressed input.
> This is fixed in a forked release: at.yawk.lz4:lz4-java version 1.8.1. The
> original project has been archived: [https://github.com/lz4/lz4-java], and
> Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group ID.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
