java.lang.RuntimeException in net.lingala.zip4j.util.Zip4jUtil.getCompressionMethod::Zip4jUtil.java:121 zip4j 2.9.0

[ZanderHuang]

This vulnerability is of java.lang.RuntimeException, and can be triggered in latest version zip4j (2.9.0).
It is caused by an unchecked exception or wrapping a general unchecked exception around another exception that extends RuntimeException and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception).
Likely, the root cause of this crash is in net.lingala.zip4j.util.Zip4jUtil.getCompressionMethod::Zip4jUtil.java:121.

zip4j/src/main/java/net/lingala/zip4j/util/Zip4jUtil.java

Line 121 in ce1cff6

throw new RuntimeException("AesExtraDataRecord not present in local header for aes encrypted data");

The variable "localFileHeader" is not NULL however its component "getAesExtraDataRecord" is NULL and it results in RuntimeException.

See more detail from the following crash stack.

Crash stack:

The crash thread's stack is as follows:

net.lingala.zip4j.util.Zip4jUtil.getCompressionMethod::Zip4jUtil.java:121
net.lingala.zip4j.io.inputstream.ZipInputStream.getCompressedSize::ZipInputStream.java:318
net.lingala.zip4j.io.inputstream.ZipInputStream.initializeEntryInputStream::ZipInputStream.java:222
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:113
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:83
com.test.Entry.main::Entry.java:37

Steps to reproduce:

1. Build the following java code with the corresponding zip4j library (version 2.9.0).

## Download zip4j_env_reproduce.tar.gz from https://drive.google.com/file/d/1MekCBIghKxIW4j-TLjZkm8ovvLb_grm5/view?usp=sharing
tar -xf zip4j_env_reproduce.tar.gz
cd zip4j_env_reproduce
bash build.sh

2. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :
   (poc file can be downloaded from https://drive.google.com/file/d/1-tI49fljs6XYhaphgJbO7M_inEQwZd2W/view?usp=sharing)

java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-2e99f99d7396ae948c4d180fc306de98070ab7af

Any further discussion for this vulnerability including fix is welcomed!

[srikanth-lingala]

Fixed in v2.10.0 released today

[rohitkumar5058]

Hey Srikant, If I just have this dependency in my pom:

<dependency> <groupId>net.lingala.zip4j</groupId> <artifactId>zip4j</artifactId> <version>2.11.2</version> </dependency>

I get the following error:
symbol: class Zip4jConstants
[ERROR] location: package net.lingala.zip4j.util

then I was adding following additional dependency along with the above dependency and it worked:
<dependency> <groupId>net.lingala.zip4j</groupId> <artifactId>zip4j</artifactId> <version>1.3.2</version> <scope>compile</scope> </dependency>

But why we need to add this, they are same dependency, and the 1.3.2 version has vulnerabilities too, which gives Blackduck issue to my project. issue still exists ,Can you please comment and help me on this?