CVE-2021-35516
First published: Tue Jul 13 2021(Updated: )
A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for very small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress' SevenZ package. The highest threat from this vulnerability is to system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/apache-commons-compress | <0:1.21-1.2.el8e | 0:1.21-1.2.el8e |
| redhat/apache-commons-compress | <1.21 | 1.21 |
| Apache Commons Compress | >=1.6<=1.20 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp OnCommand Insight | ||
| Oracle Banking Digital Experience | >=18.1<=18.3 | |
| Oracle Banking Digital Experience | =19.1 | |
| Oracle Banking Digital Experience | =19.2 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| Oracle Banking Enterprise Default Management | =2.7.0 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Billing and Revenue Management | =12.0.0.4 | |
| Oracle Communications Cloud Native Core Automated Test Suite | =1.8.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
| Oracle Communications Cloud Native Core Unified Data Repository | =1.14.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.2.3 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.5 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.7.2.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.1.0 | |
| Oracle FLEXCUBE Universal Banking | >=14.0.0<=14.3.0 | |
| Oracle FLEXCUBE Universal Banking | =12.4.0 | |
| Oracle FLEXCUBE Universal Banking | =14.5 | |
| Oracle Healthcare Data Repository | =8.1.0 | |
| Oracle Insurance Policy Administration | =11.0.2 | |
| Oracle Insurance Policy Administration | =11.1.0 | |
| Oracle Insurance Policy Administration | =11.2.8 | |
| Oracle Insurance Policy Administration | =11.3.0 | |
| Oracle Insurance Policy Administration | =11.3.1 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
| Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Oracle Communications Messaging Server | =8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2021/07/13/2
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981901
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981902
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5555
- https://access.redhat.com/security/cve/cve-2021-35516
- https://bugzilla.redhat.com/show_bug.cgi?id=1981900
- https://www.cve.org/CVERecord?id=CVE-2021-35516 https://nvd.nist.gov/vuln/detail/CVE-2021-35516 http://www.openwall.com/lists/oss-security/2021/07/13/2 https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID of this flaw in apache-commons-compress?
The vulnerability ID of this flaw in apache-commons-compress is CVE-2021-35516.
What is the severity of CVE-2021-35516?
The severity of CVE-2021-35516 is high with a severity value of 7.5.
Which software is affected by CVE-2021-35516?
The software affected by CVE-2021-35516 is apache-commons-compress version up to 1.21.
How can this vulnerability be exploited?
This vulnerability can be exploited by reading a specially crafted 7Z archive that causes Compress to allocate large amounts of memory.
Are there any remediation steps available for CVE-2021-35516?
Yes, the remedy for CVE-2021-35516 is to update apache-commons-compress to version 1.21 or higher.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/weakness
- agent/remedy
- agent/author
- agent/references
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-35516
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/apache
- canonical/apache commons compress
- version/apache commons compress/1.6
- version/apache commons compress/1.20
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand insight
- vendor/oracle
- canonical/oracle banking digital experience
- version/oracle banking digital experience/18.1
- version/oracle banking digital experience/18.3
- version/oracle banking digital experience/19.1
- version/oracle banking digital experience/19.2
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle banking enterprise default management
- version/oracle banking enterprise default management/2.7.0
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications billing and revenue management
- version/oracle communications billing and revenue management/12.0.0.4
- canonical/oracle communications cloud native core automated test suite
- version/oracle communications cloud native core automated test suite/1.8.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0
- canonical/oracle communications cloud native core unified data repository
- version/oracle communications cloud native core unified data repository/1.14.0
- canonical/oracle communications diameter intelligence hub
- version/oracle communications diameter intelligence hub/8.0.0
- version/oracle communications diameter intelligence hub/8.2.3
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.5
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0
- canonical/oracle financial services enterprise case management
- version/oracle financial services enterprise case management/8.0.7.2.0
- version/oracle financial services enterprise case management/8.0.8.1.0
- canonical/oracle flexcube universal banking
- version/oracle flexcube universal banking/14.0.0
- version/oracle flexcube universal banking/14.3.0
- version/oracle flexcube universal banking/12.4.0
- version/oracle flexcube universal banking/14.5
- canonical/oracle healthcare data repository
- version/oracle healthcare data repository/8.1.0
- canonical/oracle insurance policy administration
- version/oracle insurance policy administration/11.0.2
- version/oracle insurance policy administration/11.1.0
- version/oracle insurance policy administration/11.2.8
- version/oracle insurance policy administration/11.3.0
- version/oracle insurance policy administration/11.3.1
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- version/oracle utilities testing accelerator/6.0.0.2.2
- version/oracle utilities testing accelerator/6.0.0.3.1
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1