From 11618aeebc706904339abf424b83620625182611 Mon Sep 17 00:00:00 2001
From: maximthomas <maxim.thomas@gmail.com>
Date: Tue, 9 Dec 2025 14:00:13 +0300
Subject: [PATCH] CVE-2025-12183 LZ4 Java Compression has Out-of-bounds memory
 operations which can cause DoS

CVE-2025-66566 yawkat LZ4 Java has a possible information leak in Java safe decompressor
---
 .../openam-cassandra-datastore/pom.xml             |  6 +++---
 openam-cassandra/openam-cassandra-embedded/pom.xml |  6 +++++-
 openam-cassandra/pom.xml                           | 14 ++++++++++----
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/openam-cassandra/openam-cassandra-datastore/pom.xml b/openam-cassandra/openam-cassandra-datastore/pom.xml
index a4ccda88b4..69fa87e887 100644
--- a/openam-cassandra/openam-cassandra-datastore/pom.xml
+++ b/openam-cassandra/openam-cassandra-datastore/pom.xml
@@ -12,7 +12,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2019 Open Identity Platform Community.
+ * Copyright 2019-2025 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -35,8 +35,8 @@
 		    <artifactId>java-driver-core</artifactId>
 		</dependency>
 		<dependency>
-		    <groupId>org.lz4</groupId>
-		    <artifactId>lz4-java</artifactId>
+			<groupId>at.yawk.lz4</groupId>
+			<artifactId>lz4-java</artifactId>
 		</dependency>
 		<dependency>
 		    <groupId>org.xerial.snappy</groupId>
diff --git a/openam-cassandra/openam-cassandra-embedded/pom.xml b/openam-cassandra/openam-cassandra-embedded/pom.xml
index ca74b8e1d0..a550fa9663 100644
--- a/openam-cassandra/openam-cassandra-embedded/pom.xml
+++ b/openam-cassandra/openam-cassandra-embedded/pom.xml
@@ -12,7 +12,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2019 Open Identity Platform Community.
+ * Copyright 2019-2025 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -35,6 +35,10 @@
 		    <groupId>org.apache.cassandra</groupId>
 		    <artifactId>cassandra-all</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>at.yawk.lz4</groupId>
+			<artifactId>lz4-java</artifactId>
+		</dependency>
 		<dependency>
 		    <groupId>com.google.guava</groupId>
 		    <artifactId>failureaccess</artifactId>
diff --git a/openam-cassandra/pom.xml b/openam-cassandra/pom.xml
index 844b28d851..04079ccfb9 100644
--- a/openam-cassandra/pom.xml
+++ b/openam-cassandra/pom.xml
@@ -12,7 +12,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2019 Open Identity Platform Community.
+ * Copyright 2019-2025 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -50,11 +50,17 @@
 			    <groupId>org.apache.cassandra</groupId>
 			    <artifactId>cassandra-all</artifactId>
 			    <version>4.0.17</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.lz4</groupId>
+						<artifactId>lz4-java</artifactId>
+					</exclusion>
+				</exclusions>
 			</dependency>
 			<dependency>
-			    <groupId>org.lz4</groupId>
-			    <artifactId>lz4-java</artifactId>
-			    <version>1.8.0</version>
+				<groupId>at.yawk.lz4</groupId>
+				<artifactId>lz4-java</artifactId>
+				<version>1.10.1</version>
 			</dependency>
 			<dependency>
 			    <groupId>org.xerial.snappy</groupId>