CVE-2021-39228

Name of the Vulnerable Software and Affected Versions Tremor versions 0.7.2 through 0.11.6

Description The issue is a memory safety problem that occurs when using patch or merge on state and assigning the result back to state. This allows access to already freed regions of memory, which can be sent over TCP or HTTP. The vulnerability requires the Tremor server to execute a tremor-script script that uses the mentioned language construct.

Recommendations For versions 0.7.2 through 0.11.6, upgrade to version 0.11.6 or later, which removes the optimization and always clones the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to state, for example: let tmp = merge state of event end; let state = tmp