CVE-2024-36124: 
Java vulnerability analysis and mitigation

iq80 Snappy, a compression/decompression library, contains a vulnerability where it attempts to read outside the bounds of given byte arrays during decompression operations. The vulnerability was discovered and disclosed on June 3, 2024, affecting all versions prior to 0.5. This security issue impacts systems using the iq80 Snappy library for data compression and decompression operations (GitHub Advisory, NVD).

The vulnerability stems from the library's use of the JDK class sun.misc.Unsafe to optimize memory access. When processing certain decompression operations, the library attempts to access memory outside the bounds of the given byte arrays. Due to the use of sun.misc.Unsafe, no additional bounds checks are performed, resulting in behavior similar to out-of-bounds access in C or C++. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and is classified as CWE-125 (Out-of-bounds Read) (NVD).

When processing decompression data from untrusted sources, this vulnerability can be exploited to cause non-deterministic behavior or crash the JVM, effectively enabling denial-of-service attacks. The out-of-bounds read access can lead to system instability and service disruption (GitHub Advisory).

Users are advised to upgrade to version 0.5 of iq80 Snappy as an immediate mitigation. However, since the library is no longer actively maintained, the recommended long-term solution is to migrate to the Snappy implementation in aircompressor (version 0.27 or newer) (GitHub Advisory).