CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability
First published: Tue Jul 13 2021(Updated: )
A flaw was found in apache-commons-compress. When reading a specially crafted TAR archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress' TAR package. The highest threat from this vulnerability is to system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/apache-commons-compress | <0:1.21-1.2.el8e | 0:1.21-1.2.el8e |
| redhat/apache-commons-compress | <1.21 | 1.21 |
| Apache Commons Compress | >=1.1<=1.20 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp OnCommand Insight | ||
| Oracle Banking Apis | >=18.1<=18.3 | |
| Oracle Banking Apis | =19.1 | |
| Oracle Banking Apis | =19.2 | |
| Oracle Banking Apis | =20.1 | |
| Oracle Banking Apis | =21.1 | |
| Oracle Banking Digital Experience | >=18.1<=18.3 | |
| Oracle Banking Digital Experience | =19.1 | |
| Oracle Banking Digital Experience | =19.2 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| Oracle Banking Enterprise Default Management | =2.7.0 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Banking Payments | =14.5 | |
| Oracle Banking Trade Finance | =14.5 | |
| Oracle Banking Treasury Management | =14.5 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Billing and Revenue Management | =12.0.0.4 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
| Oracle Communications Cloud Native Core Unified Data Repository | =1.14.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.2.3 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.5 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.7.2.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.1.0 | |
| Oracle FLEXCUBE Universal Banking | >=14.0.0<=14.3.0 | |
| Oracle FLEXCUBE Universal Banking | =12.4 | |
| Oracle FLEXCUBE Universal Banking | =14.5 | |
| Oracle Healthcare Data Repository | =8.1.0 | |
| Oracle Insurance Policy Administration | =11.0.2 | |
| Oracle Insurance Policy Administration | =11.1.0 | |
| Oracle Insurance Policy Administration | =11.2.8 | |
| Oracle Insurance Policy Administration | =11.3.0 | |
| Oracle Insurance Policy Administration | =11.3.1 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
| Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Oracle Communications Messaging Server | =8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-35517 https://nvd.nist.gov/vuln/detail/CVE-2021-35517 http://www.openwall.com/lists/oss-security/2021/07/13/3 https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1981903
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5555
- https://access.redhat.com/security/cve/cve-2021-35517
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/07/13/3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981905
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981904
- http://www.openwall.com/lists/oss-security/2021/07/13/5
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-35517
- agent/software-canonical-lookup
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/redhat
- vendor/apache
- canonical/apache commons compress
- version/apache commons compress/1.1
- version/apache commons compress/1.20
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand insight
- vendor/oracle
- canonical/oracle banking apis
- version/oracle banking apis/18.1
- version/oracle banking apis/18.3
- version/oracle banking apis/19.1
- version/oracle banking apis/19.2
- version/oracle banking apis/20.1
- version/oracle banking apis/21.1
- canonical/oracle banking digital experience
- version/oracle banking digital experience/18.1
- version/oracle banking digital experience/18.3
- version/oracle banking digital experience/19.1
- version/oracle banking digital experience/19.2
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle banking enterprise default management
- version/oracle banking enterprise default management/2.7.0
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle banking payments
- version/oracle banking payments/14.5
- canonical/oracle banking trade finance
- version/oracle banking trade finance/14.5
- canonical/oracle banking treasury management
- version/oracle banking treasury management/14.5
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications billing and revenue management
- version/oracle communications billing and revenue management/12.0.0.4
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0
- canonical/oracle communications cloud native core unified data repository
- version/oracle communications cloud native core unified data repository/1.14.0
- canonical/oracle communications diameter intelligence hub
- version/oracle communications diameter intelligence hub/8.0.0
- version/oracle communications diameter intelligence hub/8.2.3
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.5
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0
- canonical/oracle financial services enterprise case management
- version/oracle financial services enterprise case management/8.0.7.2.0
- version/oracle financial services enterprise case management/8.0.8.1.0
- canonical/oracle flexcube universal banking
- version/oracle flexcube universal banking/14.0.0
- version/oracle flexcube universal banking/14.3.0
- version/oracle flexcube universal banking/12.4
- version/oracle flexcube universal banking/14.5
- canonical/oracle healthcare data repository
- version/oracle healthcare data repository/8.1.0
- canonical/oracle insurance policy administration
- version/oracle insurance policy administration/11.0.2
- version/oracle insurance policy administration/11.1.0
- version/oracle insurance policy administration/11.2.8
- version/oracle insurance policy administration/11.3.0
- version/oracle insurance policy administration/11.3.1
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- version/oracle utilities testing accelerator/6.0.0.2.2
- version/oracle utilities testing accelerator/6.0.0.3.1
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1