[
https://issues.apache.org/jira/browse/SOLR-18013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jota Martos updated SOLR-18013:
-------------------------------
Description:
CVE ID: CVE-2025-12183
Affected solr Version: 9.10.0
Vulnerable Dependency: lz4 1.8.0
Impact: Various lz4-java compression and decompression implementations do not
guard against out-of-bounds memory access. Untrusted input may lead to denial
of service and information disclosure.
Context: The official lz4-java project has been discontinued. A community fork
is available [here|https://github.com/yawkat/lz4-java]. To address
[CVE-2025-12183|https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183],
Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group ID.
Fix : This is fixed in at.yawk.lz4:lz4-java:1.8.1
CVE ID: CVE-2025-66566
Affected solr Version: 9.10.0
Vulnerable Dependency: lz4 1.8.0
Impact: Insufficient clearing of the output buffer in Java-based decompressor
implementations in lz4-java 1.10.0 and earlier allows remote attackers to read
previous buffer contents via crafted compressed input. In applications where
the output buffer is reused without being cleared, this may lead to disclosure
of sensitive data.
Fix : This is fixed in at.yawk.lz4:lz4-java:1.10.1
was:
CVE ID: CVE-2025-12183
Affected solr Version: 9.10.0
Vulnerable Dependency: lz4 1.8.0
Impact: Various lz4-java compression and decompression implementations do not
guard against out-of-bounds memory access. Untrusted input may lead to denial
of service and information disclosure.
Context: The official lz4-java project has been discontinued. A community fork
is available [here|https://github.com/yawkat/lz4-java]. To address
[CVE-2025-12183|https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183],
Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group ID.
Fix : This is fixed in at.yawk.lz4:lz4-java:1.8.1
> Upgrade lz4 jar to fix CVE-2025-12183 and CVE-2025-66566
> --------------------------------------------------------
>
> Key: SOLR-18013
> URL: https://issues.apache.org/jira/browse/SOLR-18013
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 9.10.1
> Reporter: Jota Martos
> Priority: Major
>
> CVE ID: CVE-2025-12183
> Affected solr Version: 9.10.0
> Vulnerable Dependency: lz4 1.8.0
> Impact: Various lz4-java compression and decompression implementations do not
> guard against out-of-bounds memory access. Untrusted input may lead to denial
> of service and information disclosure.
> Context: The official lz4-java project has been discontinued. A community
> fork is available [here|https://github.com/yawkat/lz4-java]. To address
> [CVE-2025-12183|https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183],
> Sonatype has added a redirect from org.lz4:lz4-java:1.8.1 to the new group
> ID.
> Fix : This is fixed in at.yawk.lz4:lz4-java:1.8.1
> CVE ID: CVE-2025-66566
> Affected solr Version: 9.10.0
> Vulnerable Dependency: lz4 1.8.0
> Impact: Insufficient clearing of the output buffer in Java-based decompressor
> implementations in lz4-java 1.10.0 and earlier allows remote attackers to
> read previous buffer contents via crafted compressed input. In applications
> where the output buffer is reused without being cleared, this may lead to
> disclosure of sensitive data.
> Fix : This is fixed in at.yawk.lz4:lz4-java:1.10.1
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
