LZ4 Java Out-of-Bounds Memory Access Vulnerability Allowing Denial-of-Service and Information Disclosure

A vulnerability exists in the LZ4 Java library, specifically in versions through 1.8.0, due to out-of-bounds memory operations in the JNI-based and Unsafe-based compression and decompression implementations. This flaw allows remote attackers to cause denial-of-service conditions and read adjacent memory by sending untrusted compressed input. The issue arises because the 'fast' decompressor in the JNI implementation and all Java-based implementations using sun.misc.Unsafe lack proper bounds checks, leaving them vulnerable to exploitation.

Impact

Exploitation of this vulnerability in the JNI-based implementation or the Unsafe-based Java implementations can lead to denial-of-service conditions and unauthorized information disclosure. In the case of the normal Java implementations, the lack of bounds checks can cause ArrayIndexOutOfBoundsExceptions, which, while not a vulnerability on their own, indicate insufficient input validation.

Remediation

Users can upgrade to LZ4 Java version 1.8.1, which is available as a community-maintained fork, to address this vulnerability. This version replaces the vulnerable JNI-based fast decompressor with a safe Java implementation and updates the Unsafe-based compressors and decompressors to their safe counterparts. Applications can also temporarily switch to the safe implementation until they are ready to upgrade.