Potential secutiry vulnerability in the C library may invoked by Java code of JPPF. Could you help upgrade the vulnerble dependency?

[HelenParr]

Hi, @lolocohen, I'd like to report a vulnerability issue in org.jppf:jppf-common:6.3-alpha.

Issue Description

I noticed that org.jppf:jppf-common:6.3-alpha directly depends on org.lz4:lz4-java:1.6.0. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing a high severity CVE: CVE-2019-17543.

Dependency Graph between Java and Shared Libraries

Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, the following LZ4-JNI interfaces(Java code): LZ4JNIFastDecompressor::decompress(), LZ4JNISafeDecompressor::decompress(), LZ4JNICompressor::compress() can reach the vulnerable method(C code) LZ4_write32() reported by CVE-2019-17543.

call chain----
LZ4JNISafeDecompressor::decompress() -> LZ4_decompress_safe() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNIFastDecompressor::decompress() -> LZ4_decompress_fast() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNICompressor::compress() -> LZ4_compress_limitedOutput() -> LZ4_compress_default -> LZ4_compress_fast -> LZ4_compress_fast_extState() -> LZ4_compress_generic() -> LZ4_write32()

Suggested Vulnerability Patch Versions

org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded this vulnerable C library lz4 to the patch version 1.9.2.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~
Best regards,
Helen Parr