CVE-2018-11771
First published: Thu Aug 16 2018(Updated: )
Apache Commons Compress is vulnerable to a denial of service, caused by the failure to return the correct EOF indication after the end of the stream has been reached by the ZipArchiveInputStream method. By reading a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Commons Compress | >=1.7.0<=1.17.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| redhat/apache-commons-compress | <1.18 | 1.18 |
| maven/org.apache.commons:commons-compress | >=1.7<1.18 | 1.18 |
| >=1.7.0<=1.17.0 | ||
| =14.1.1.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2018-11771 https://nvd.nist.gov/vuln/detail/CVE-2018-11771 https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1618573
- https://access.redhat.com/errata/RHSA-2020:0983
- https://access.redhat.com/security/cve/cve-2018-11771
- https://exchange.xforce.ibmcloud.com/vulnerabilities/148429
- https://www.ibm.com/support/pages/node/6356539 (Advisory)
- http://www.securityfocus.com/bid/105139
- http://www.securitytracker.com/id/1041503
- https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E
- https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E
- https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1618574
- https://issues.apache.org/jira/browse/COMPRESS-463
- https://github.com/apache/commons-compress/commit/a41ce689
- https://github.com/apache/commons-compress/commit/0fe6ae31
- https://github.com/apache/commons-compress/commit/64ed6dde
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/support/policy/updates/rhmap
- https://access.redhat.com/node/4027141
- https://access.redhat.com/support/policy/updates/satellite/
- https://nvd.nist.gov/vuln/detail/CVE-2018-11771
- https://github.com/advisories/GHSA-hrmr-f5m6-m9pq (Advisory)
- https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7%40%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1%40%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61%40%3Cnotifications.commons.apache.org%3E
- https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120%40%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1%40%3Ccommits.commons.apache.org%3E
- https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2018-11771?
The severity of CVE-2018-11771 is medium with a severity value of 5.5.
How does CVE-2018-11771 affect Apache Commons Compress?
CVE-2018-11771 affects Apache Commons Compress versions 1.7 to 1.17 by failing to return the correct EOF indication after reaching the end of the stream, potentially leading to an infinite stream.
Which software versions are affected by CVE-2018-11771?
Apache Commons Compress versions 1.7 to 1.17, and Oracle WebLogic Server version 14.1.1.0.0 are affected by CVE-2018-11771.
How can I fix CVE-2018-11771 for Apache Commons Compress?
To fix CVE-2018-11771 for Apache Commons Compress, you need to upgrade to version 1.18.
How can I fix CVE-2018-11771 for Oracle WebLogic Server?
To fix CVE-2018-11771 for Oracle WebLogic Server, you need to apply the necessary patches or updates provided by Oracle.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-11771
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hrmr-f5m6-m9pq
- agent/severity
- agent/last-modified-date
- agent/description
- agent/references
- agent/author
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache commons compress
- version/apache commons compress/1.7.0
- version/apache commons compress/1.17.0
- vendor/oracle
- canonical/oracle weblogic server
- version/oracle weblogic server/14.1.1.0.0
- package-manager/redhat
- package-manager/maven