Takin icon indicating copy to clipboard operation
Takin copied to clipboard
verified publisher icon shulieTech

Vulnerable shared libraries might make tro-server-monitor vulnerable. Can you help upgrade to patch versions?

Open HelenParr opened this issue 3 years ago • 0 comments

Hi, @shulieTech , @vinzhangya , I'd like to report a vulnerability issue in io.shulie.tro:tro-server-monitor:1.15.0.

Issue Description

io.shulie.tro:tro-server-monitor:1.15.0 directly or transitively depends on 42 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

libzstd-jni.so from C project zstd(version:1.3.7) exposed 2 vulnerabilities: CVE-2021-24031, CVE-2019-11922 liliblz4-java.so from C project lz4(version:1.8.3) exposed 2 vulnerabilities: CVE-2021-3520, CVE-2019-17543

Suggested Vulnerability Patch Versions

zstd has fixed the vulnerabilities in versions >=1.4.9 lz4 has fixed the vulnerabilities in versions >=1.9.2

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

HelenParr avatar Apr 25 '22 17:04 HelenParr