CVE-2024-36114
📋 TL;DR
Aircompressor library versions before 0.27 contain out-of-bounds memory access vulnerabilities in all decompressor implementations (LZ4, LZO, Snappy, Zstandard). This can crash the JVM or leak sensitive memory contents when processing malicious compressed data. Any Java application using Aircompressor to decompress untrusted data is affected.
💻 Affected Systems
- Aircompressor Java library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete JVM crash leading to denial of service, plus exposure of sensitive information like encryption keys, passwords, or application data from process memory.
Likely Case
JVM crashes causing service disruption when processing malicious compressed data from untrusted sources.
If Mitigated
No impact if only trusted data is decompressed or if the vulnerability is patched.
🎯 Exploit Status
Exploitation requires sending malicious compressed data to be decompressed. No authentication needed if the application accepts external input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.27
Vendor Advisory: https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
Restart Required: Yes
Instructions:
1. Update Aircompressor dependency to version 0.27 or newer in your build configuration (Maven pom.xml, Gradle build.gradle, etc.). 2. Rebuild and redeploy your application. 3. Restart the Java application/service.
🔧 Temporary Workarounds
No workarounds available
allThe advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict input validation to only accept compressed data from trusted sources
- Isolate the vulnerable service in a container or VM to limit impact of potential memory leaks
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle) for Aircompressor version below 0.27.Check Version:
For Maven: mvn dependency:tree | grep aircompressor; For Gradle: gradle dependencies | grep aircompressorVerify Fix Applied:
Verify the Aircompressor version in your deployed application is 0.27 or higher using dependency analysis tools or checking the JAR manifest.📡 Detection & Monitoring
Log Indicators:
- JVM crash logs
- OutOfMemoryError or segmentation fault in Java logs
- Abnormal application termination
Network Indicators:
- Unusual compressed data patterns sent to decompression endpoints
SIEM Query:
source="java.logs" AND ("JVM crash" OR "OutOfMemoryError" OR "segmentation fault") AND process="your_application_name"🔗 References
- https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071
- https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e
- https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f
- https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e
- https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
- https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071
- https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e
- https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f
- https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e
- https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
