From 71a2a84689d2202109f0f137e57fc0a542a46733 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 12 Nov 2024 11:54:11 +0100 Subject: [PATCH] fix (nifi): CVE-2024-36114 (#924) * fix (nifi): CVE-2024-36114 * adapted changelog * fix changelog --- CHANGELOG.md | 2 + ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++++++++++++++++ ...E-2024-36114-bump-aircompressor-0-27.patch | 37 +++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch create mode 100644 nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch diff --git a/CHANGELOG.md b/CHANGELOG.md index c1b9ed832..a474c0f58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,6 +67,7 @@ All notable changes to this project will be documented in this file. Spark 3.5.2 is not affected. ([#921]) - trino: Correctly report Trino version ([#881]). - hive: Fix CVE-2024-36114 in Hive `3.1.3` and `4.0.0` by upgrading a dependency. ([#922]). +- nifi: Fix CVE-2024-36114 in NiFi `1.27.0` and `2.0.0` by upgrading a dependency. ([#924]). - hbase: Fix CVE-2024-36114 in HBase `2.6.0` by upgrading a dependency. ([#925]). - druid: Fix CVE-2024-36114 in Druid `26.0.0` and `30.0.0` by upgrading a dependency ([#926]). @@ -115,6 +116,7 @@ All notable changes to this project will be documented in this file. [#920]: https://github.com/stackabletech/docker-images/pull/920 [#921]: https://github.com/stackabletech/docker-images/pull/921 [#922]: https://github.com/stackabletech/docker-images/pull/922 +[#924]: https://github.com/stackabletech/docker-images/pull/924 [#925]: https://github.com/stackabletech/docker-images/pull/925 [#926]: https://github.com/stackabletech/docker-images/pull/926 diff --git a/nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch b/nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch new file mode 100644 index 000000000..aa6663c92 --- /dev/null +++ b/nifi/stackable/patches/1.27.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch @@ -0,0 +1,37 @@ +Fix CVE-2024-36114 +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. + +diff --git a/pom.xml b/pom.xml +index 0437c2b949..1a06052b3b 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -155,6 +155,12 @@ + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + ch.qos.logback + logback-classic