Vulnerable shared libraries might make nebula-exchange vulnerable. Can you help upgrade to patch versions?

[HelenParr]

Hi, @Nicole00 , @cooper-lzy , I'd like to report a vulnerability issue in com.vesoft:nebula-exchange:2.6.3.

Issue Description

com.vesoft:nebula-exchange:2.6.3 directly or transitively depends on 52 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C library are vulnerable, containing the following CVEs:

libzstd-jni.so from C project zstd(version:1.3.7) exposed 2 vulnerabilities:
CVE-2021-24031, CVE-2019-11922
liblz4-java.so from C project lz4(version:1.8.3) exposed 2 vulnerabilities:
CVE-2021-3520, CVE-2019-17543

Suggested Vulnerability Patch Versions

zstd has fixed the vulnerabilities in versions >=1.4.9
lz4 has fixed the vulnerabilities in versions >=1.9.2

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~
Best regards,

[randomJoe211]

Hi, HelenParr! Thank you for the heads-up!
@Sophie-Xie @MuYiYong Please take a look.

[MuYiYong]

@HelenParr Hi，Thanks for your reminding.
We will check and fix.

[CPWstatic]

Hi there, I didn't find any direct dependencies. How do you notice these dependencies?

[Sophie-Xie]

Close it first, and open it if there is new information.