Several vulnerabilities in the shared libraries which hawkbit-extensions depends on.

[HelenParr]

Hi, @kaikreuzer , @laverman , I'd like to report a vulnerability issue in org.eclipse.hawkbit:hawkbit-update-server-azure:0.3.0M7.

Issue Description

org.eclipse.hawkbit:hawkbit-update-server-azure:0.3.0M7 directly or transitively depends on 28 C libraries (.so) cross many platforms(such as ppc64, aarch64, amd64, i386, mips64). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

llibzstd-jni.so from C project zstd(version:1.4.4) exposed 1 vulnerabilities: CVE-2021-24032 liblz4-java.so from C project lz4(version:1.9.1) exposed 1 vulnerabilities: CVE-2019-17543

Suggested Vulnerability Patch Versions

zstd has fixed the vulnerabilities in versions >=1.4.9 lz4 has fixed the vulnerabilities in versions >=1.9.2

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr