CVE-2024-36114: Aircompressor Library DOS Vulnerability

CVE-2024-36114 Overview

CVE-2024-36114 is a high-severity out-of-bounds read vulnerability affecting Aircompressor, a Java library providing ports of popular compression algorithms including Snappy, LZO, LZ4, and Zstandard. All decompressor implementations in the library can crash the JVM when processing specially crafted input, and in some cases leak sensitive information from other memory regions of the Java process.

The vulnerability stems from the library's use of sun.misc.Unsafe for performance optimization, which bypasses standard Java memory bounds checking. When decompressing malformed data, the decompressors attempt to access memory outside the bounds of given byte arrays or byte buffers, leading to behavior similar to out-of-bounds memory access in C or C++.

Critical Impact
Attackers can exploit this vulnerability to crash Java applications (denial of service) or potentially leak sensitive information from JVM memory when processing untrusted compressed data.

Affected Products

Aircompressor versions prior to 0.27
LZ4 decompressor implementation (Lz4RawDecompressor)
LZO decompressor implementation (LzoRawDecompressor)
Snappy decompressor implementation (SnappyRawDecompressor)
Zstandard decompressor implementation (ZstdFrameDecompressor)

Discovery Timeline

2024-05-29 - CVE CVE-2024-36114 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-36114

Vulnerability Analysis

This vulnerability is classified as CWE-125 (Out-of-bounds Read). The core issue lies in how Aircompressor's decompression routines handle length values parsed from compressed input streams. The library uses sun.misc.Unsafe to achieve high-performance memory operations, but this approach comes at the cost of bypassing Java's standard array bounds checking.

When processing maliciously crafted compressed data, the decompressors can encounter negative length values due to integer overflow conditions. Since the code does not validate that length values are positive before using them in memory operations, the Unsafe class methods proceed to access memory at invalid addresses.

Root Cause

The root cause is insufficient input validation in the decompression routines across all supported compression algorithms. Specifically:

LZ4 Decompressor: The Lz4RawDecompressor did not validate that literalLength values were non-negative before attempting memory copies
LZO Decompressor: The LzoRawDecompressor failed to check for negative matchLength values
Snappy Decompressor: The SnappyRawDecompressor did not verify that compressed length values were positive
Zstandard Decompressor: The ZstdFrameDecompressor had incorrect bounds checking that used the wrong address variable, allowing reads past input buffer limits

Attack Vector

The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:

Crafting malicious compressed data containing values that cause integer overflow when parsed
Sending this data to an application using Aircompressor for decompression
The decompressor attempts to read memory using negative or excessively large length values
This results in either JVM crash (denial of service) or information disclosure from adjacent memory regions

Applications that decompress data from untrusted sources (e.g., user uploads, network streams, inter-service communication) are particularly at risk.

java

// Security patch for LZ4 decompressor - Fix out of bounds read due to negative length
// Source: https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071

                }
                while (value == 255 && input < inputLimit - 15);
            }
+            if (literalLength < 0) {
+                throw new MalformedInputException(input - inputAddress);
+            }

            // copy literal
            long literalEnd = input + literalLength;

java

// Security patch for LZO decompressor - Fix out of bounds read due to negative length
// Source: https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071

                }
                firstCommand = false;

+                if (matchLength < 0) {
+                    throw new MalformedInputException(input - inputAddress);
+                }
+
                // copy match
                if (matchLength != 0) {
                    // lzo encodes match offset minus one

java

// Security patch for Snappy decompressor - Verify length is positive
// Source: https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e

                }
            }
        }
+        if (result < 0) {
+            throw new MalformedInputException(compressedAddress, "negative compressed length");
+        }
        return new int[] {result, bytesRead};
    }

java

// Security patch for Zstandard decompressor - Fix bounds checks using correct address variable
// Source: https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f

                int decodedSize;
                switch (blockType) {
                    case RAW_BLOCK:
-                        verify(inputAddress + blockSize <= inputLimit, input, "Not enough input bytes");
+                        verify(input + blockSize <= inputLimit, input, "Not enough input bytes");
                        decodedSize = decodeRawBlock(inputBase, input, blockSize, outputBase, output, outputLimit);
                        input += blockSize;
                        break;
                    case RLE_BLOCK:
-                        verify(inputAddress + 1 <= inputLimit, input, "Not enough input bytes");
+                        verify(input + 1 <= inputLimit, input, "Not enough input bytes");
                        decodedSize = decodeRleBlock(blockSize, inputBase, input, outputBase, output, outputLimit);
                        input += 1;
                        break;
                    case COMPRESSED_BLOCK:
-                        verify(inputAddress + blockSize <= inputLimit, input, "Not enough input bytes");
+                        verify(input + blockSize <= inputLimit, input, "Not enough input bytes");
                        decodedSize = decodeCompressedBlock(inputBase, input, blockSize, outputBase, output, outputLimit, frameHeader.windowSize, outputAddress);
                        input += blockSize;
                        break;

Detection Methods for CVE-2024-36114

Indicators of Compromise

Unexpected JVM crashes with segmentation faults or SIGSEGV errors during decompression operations
Java applications terminating abnormally when processing compressed data streams
Memory access violations in stack traces referencing Aircompressor decompressor classes
Unusual patterns of malformed compressed data being submitted to application endpoints

Detection Strategies

Monitor application logs for MalformedInputException errors from Aircompressor decompression routines
Implement runtime monitoring for JVM crashes associated with native memory access violations
Use Software Composition Analysis (SCA) tools to identify applications using vulnerable Aircompressor versions (prior to 0.27)
Deploy application performance monitoring to detect unusual memory access patterns during decompression

Monitoring Recommendations

Enable JVM crash reporting and configure alerts for segmentation faults in production environments
Monitor for sudden application restarts or process terminations in services using Aircompressor
Implement request logging to correlate potentially malicious compressed data with crash events
Configure dependency scanning in CI/CD pipelines to flag vulnerable Aircompressor versions

How to Mitigate CVE-2024-36114

Immediate Actions Required

Upgrade Aircompressor to version 0.27 or newer immediately across all affected applications
Audit all applications and services that use Aircompressor for compression/decompression operations
Prioritize patching for applications that process compressed data from untrusted sources
Review dependency trees to identify transitive dependencies on vulnerable Aircompressor versions

Patch Information

The vulnerability has been fixed in Aircompressor version 0.27. The fix adds explicit validation checks for negative length values across all decompressor implementations:

For complete details, refer to the GitHub Security Advisory GHSA-973x-65j7-xcf4.

Workarounds

There are no known workarounds for this vulnerability according to the security advisory
Avoid processing compressed data from untrusted sources until patching is complete
Implement input size limits and rate limiting on endpoints accepting compressed data
Consider wrapping decompression calls in isolated processes to limit crash impact on main application

bash

# Maven dependency update example
# Update pom.xml to use patched version
mvn versions:use-latest-versions -Dincludes=io.airlift:aircompressor

# Verify the updated version
mvn dependency:tree | grep aircompressor
# Should show: io.airlift:aircompressor:jar:0.27 or newer

CVE-2024-36114 Overview

Critical Impact
Attackers can exploit this vulnerability to crash Java applications (denial of service) or potentially leak sensitive information from JVM memory when processing untrusted compressed data.

Affected Products

Aircompressor versions prior to 0.27
LZ4 decompressor implementation (Lz4RawDecompressor)
LZO decompressor implementation (LzoRawDecompressor)
Snappy decompressor implementation (SnappyRawDecompressor)
Zstandard decompressor implementation (ZstdFrameDecompressor)

Discovery Timeline

2024-05-29 - CVE CVE-2024-36114 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-36114

Vulnerability Analysis

Root Cause

The root cause is insufficient input validation in the decompression routines across all supported compression algorithms. Specifically:

LZ4 Decompressor: The Lz4RawDecompressor did not validate that literalLength values were non-negative before attempting memory copies
LZO Decompressor: The LzoRawDecompressor failed to check for negative matchLength values
Snappy Decompressor: The SnappyRawDecompressor did not verify that compressed length values were positive
Zstandard Decompressor: The ZstdFrameDecompressor had incorrect bounds checking that used the wrong address variable, allowing reads past input buffer limits

Attack Vector

The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:

Crafting malicious compressed data containing values that cause integer overflow when parsed
Sending this data to an application using Aircompressor for decompression
The decompressor attempts to read memory using negative or excessively large length values
This results in either JVM crash (denial of service) or information disclosure from adjacent memory regions

Applications that decompress data from untrusted sources (e.g., user uploads, network streams, inter-service communication) are particularly at risk.

java

// Security patch for LZ4 decompressor - Fix out of bounds read due to negative length
// Source: https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071

                }
                while (value == 255 && input < inputLimit - 15);
            }
+            if (literalLength < 0) {
+                throw new MalformedInputException(input - inputAddress);
+            }

            // copy literal
            long literalEnd = input + literalLength;

java

// Security patch for LZO decompressor - Fix out of bounds read due to negative length
// Source: https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071

                }
                firstCommand = false;

+                if (matchLength < 0) {
+                    throw new MalformedInputException(input - inputAddress);
+                }
+
                // copy match
                if (matchLength != 0) {
                    // lzo encodes match offset minus one

java

// Security patch for Snappy decompressor - Verify length is positive
// Source: https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e

                }
            }
        }
+        if (result < 0) {
+            throw new MalformedInputException(compressedAddress, "negative compressed length");
+        }
        return new int[] {result, bytesRead};
    }

java

// Security patch for Zstandard decompressor - Fix bounds checks using correct address variable
// Source: https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f

                int decodedSize;
                switch (blockType) {
                    case RAW_BLOCK:
-                        verify(inputAddress + blockSize <= inputLimit, input, "Not enough input bytes");
+                        verify(input + blockSize <= inputLimit, input, "Not enough input bytes");
                        decodedSize = decodeRawBlock(inputBase, input, blockSize, outputBase, output, outputLimit);
                        input += blockSize;
                        break;
                    case RLE_BLOCK:
-                        verify(inputAddress + 1 <= inputLimit, input, "Not enough input bytes");
+                        verify(input + 1 <= inputLimit, input, "Not enough input bytes");
                        decodedSize = decodeRleBlock(blockSize, inputBase, input, outputBase, output, outputLimit);
                        input += 1;
                        break;
                    case COMPRESSED_BLOCK:
-                        verify(inputAddress + blockSize <= inputLimit, input, "Not enough input bytes");
+                        verify(input + blockSize <= inputLimit, input, "Not enough input bytes");
                        decodedSize = decodeCompressedBlock(inputBase, input, blockSize, outputBase, output, outputLimit, frameHeader.windowSize, outputAddress);
                        input += blockSize;
                        break;

Detection Methods for CVE-2024-36114

Indicators of Compromise

Unexpected JVM crashes with segmentation faults or SIGSEGV errors during decompression operations
Java applications terminating abnormally when processing compressed data streams
Memory access violations in stack traces referencing Aircompressor decompressor classes
Unusual patterns of malformed compressed data being submitted to application endpoints

Detection Strategies

Monitor application logs for MalformedInputException errors from Aircompressor decompression routines
Implement runtime monitoring for JVM crashes associated with native memory access violations
Use Software Composition Analysis (SCA) tools to identify applications using vulnerable Aircompressor versions (prior to 0.27)
Deploy application performance monitoring to detect unusual memory access patterns during decompression

Monitoring Recommendations

Enable JVM crash reporting and configure alerts for segmentation faults in production environments
Monitor for sudden application restarts or process terminations in services using Aircompressor
Implement request logging to correlate potentially malicious compressed data with crash events
Configure dependency scanning in CI/CD pipelines to flag vulnerable Aircompressor versions

How to Mitigate CVE-2024-36114

Immediate Actions Required

Upgrade Aircompressor to version 0.27 or newer immediately across all affected applications
Audit all applications and services that use Aircompressor for compression/decompression operations
Prioritize patching for applications that process compressed data from untrusted sources
Review dependency trees to identify transitive dependencies on vulnerable Aircompressor versions

Patch Information

The vulnerability has been fixed in Aircompressor version 0.27. The fix adds explicit validation checks for negative length values across all decompressor implementations:

For complete details, refer to the GitHub Security Advisory GHSA-973x-65j7-xcf4.

Workarounds

There are no known workarounds for this vulnerability according to the security advisory
Avoid processing compressed data from untrusted sources until patching is complete
Implement input size limits and rate limiting on endpoints accepting compressed data
Consider wrapping decompression calls in isolated processes to limit crash impact on main application

bash

# Maven dependency update example
# Update pom.xml to use patched version
mvn versions:use-latest-versions -Dincludes=io.airlift:aircompressor

# Verify the updated version
mvn dependency:tree | grep aircompressor
# Should show: io.airlift:aircompressor:jar:0.27 or newer

CVE-2024-36114: Aircompressor Library DOS Vulnerability

CVE-2024-36114 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-36114

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-36114

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-36114

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-36114: Aircompressor Library DOS Vulnerability

CVE-2024-36114 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-36114

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-36114

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-36114

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform