First published: Tue Jul 13 2021(Updated: )
A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for very small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress' SevenZ package. The highest threat from this vulnerability is to system availability.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/apache-commons-compress | <0:1.21-1.2.el8e | 0:1.21-1.2.el8e |
redhat/apache-commons-compress | <1.21 | 1.21 |
Apache Commons Compress | >=1.6<=1.20 | |
Netapp Active Iq Unified Manager Linux | ||
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
NetApp OnCommand Insight | ||
Oracle Banking Digital Experience | >=18.1<=18.3 | |
Oracle Banking Digital Experience | =19.1 | |
Oracle Banking Digital Experience | =19.2 | |
Oracle Banking Digital Experience | =20.1 | |
Oracle Banking Digital Experience | =21.1 | |
Oracle Banking Enterprise Default Management | =2.7.0 | |
Oracle Banking Party Management | =2.7.0 | |
Oracle Business Process Management Suite | =12.2.1.3.0 | |
Oracle Business Process Management Suite | =12.2.1.4.0 | |
Oracle Commerce Guided Search | =11.3.2 | |
Oracle Communications Billing and Revenue Management | =12.0.0.4 | |
Oracle Communications Cloud Native Core Automated Test Suite | =1.8.0 | |
Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
Oracle Communications Cloud Native Core Unified Data Repository | =1.14.0 | |
Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.2.3 | |
Oracle Communications Session Route Manager | >=8.0.0<=8.2.5 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
Oracle Financial Services Enterprise Case Management | =8.0.7.2.0 | |
Oracle Financial Services Enterprise Case Management | =8.0.8.1.0 | |
Oracle FLEXCUBE Universal Banking | >=14.0.0<=14.3.0 | |
Oracle FLEXCUBE Universal Banking | =12.4.0 | |
Oracle FLEXCUBE Universal Banking | =14.5 | |
Oracle Healthcare Data Repository | =8.1.0 | |
Oracle Insurance Policy Administration | =11.0.2 | |
Oracle Insurance Policy Administration | =11.1.0 | |
Oracle Insurance Policy Administration | =11.2.8 | |
Oracle Insurance Policy Administration | =11.3.0 | |
Oracle Insurance Policy Administration | =11.3.1 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Oracle Primavera Unifier | >=17.7<=17.12 | |
Oracle Primavera Unifier | =18.8 | |
Oracle Primavera Unifier | =19.12 | |
Oracle Primavera Unifier | =20.12 | |
Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
Oracle WebCenter Portal | =12.2.1.3.0 | |
Oracle WebCenter Portal | =12.2.1.4.0 | |
Oracle Communications Messaging Server | =8.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this flaw in apache-commons-compress is CVE-2021-35516.
The severity of CVE-2021-35516 is high with a severity value of 7.5.
The software affected by CVE-2021-35516 is apache-commons-compress version up to 1.21.
This vulnerability can be exploited by reading a specially crafted 7Z archive that causes Compress to allocate large amounts of memory.
Yes, the remedy for CVE-2021-35516 is to update apache-commons-compress to version 1.21 or higher.