SCA: security update for io.airlift:aircompressor (GHSA-973x-65j7-xcf4)

high Tenable Cloud Security Plugin ID 413092

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to
Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM
for certain input, and in some cases also leak the content of other memory of the Java process (which
could contain sensitive information). When decompressing certain data, the decompressors try to access
memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK
class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has
similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic
behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been
fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack
by crashing the JVM, or to leak other sensitive information from the Java process. There are no known
workarounds for this issue. (CVE-2024-36114)

See Also

https://github.com/advisories/GHSA-973x-65j7-xcf4

Plugin Details

Severity: High

ID: 413092

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 5/27/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Percentile: 96.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2024-36114

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/2/2024

Vulnerability Publication Date: 5/29/2024

Reference Information

CVE: CVE-2024-36114