CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability
First published: Tue Jul 13 2021(Updated: )
A flaw was found in apache-commons-compress. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress' zip package. The highest threat from this vulnerability is to system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/apache-commons-compress | <0:1.21-1.2.el8e | 0:1.21-1.2.el8e |
| redhat/apache-commons-compress | <1.21 | 1.21 |
| IBM Cloud Pak System | <=V2.3.0 - V2.3.3.3 Interim Fix 1 | |
| Apache Commons Compress | >=1.0<1.21 | |
| Oracle Banking APIs | >=18.1<=18.3 | |
| Oracle Banking APIs | =19.1 | |
| Oracle Banking APIs | =19.2 | |
| Oracle Banking APIs | =20.1 | |
| Oracle Banking APIs | =21.1 | |
| Oracle Banking Digital Experience | >=18.1<=18.3 | |
| Oracle Banking Digital Experience | =19.1 | |
| Oracle Banking Digital Experience | =19.2 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| oracle banking enterprise default management | =2.7.0 | |
| Oracle Banking Party Management | =2.7.0 | |
| Oracle Banking Payments | =14.5 | |
| oracle banking platform | =2.6.2 | |
| oracle banking platform | =2.7.1 | |
| oracle banking platform | =2.9.0 | |
| oracle banking platform | =2.12.0 | |
| Oracle Banking Trade Finance Process Management | =14.5 | |
| Oracle Banking Treasury Management | =14.5 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Communications Billing and Revenue Management | =12.0.0.4 | |
| Oracle Communications Cloud Native Core Automated Test Suite | =1.8.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
| Oracle Communications Cloud Native Core Unified Data Repository | =1.14.0 | |
| Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.2.3 | |
| Oracle Communications Diameter Intelligence Hub | =8.2.3 | |
| oracle communications element manager | >=8.2.0<=8.2.4.0 | |
| oracle communications session report manager | >=8.2.0<=8.2.5.0 | |
| oracle communications session route manager | >=8.0.0<=8.2.5.0 | |
| Oracle Communications Unified Inventory Management | =7.4.0 | |
| Oracle Communications Unified Inventory Management | =7.4.1 | |
| Oracle Communications Unified Inventory Management | =7.4.2 | |
| Oracle Communications Unified Inventory Management | =7.5.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.1.1 | |
| Oracle Financial Services Crime and Compliance Management Studio | =8.0.8.2.0 | |
| Oracle Financial Services Crime and Compliance Management Studio | =8.0.8.3.0 | |
| Oracle Financial Services Enterprise Case Management | ||
| Oracle Financial Services Enterprise Case Management | =8.0.7.2.0 | |
| Oracle Financial Services Enterprise Case Management | =8.0.8.1.0 | |
| Oracle FLEXCUBE Universal Banking | >=14.0.0<=14.3.0 | |
| Oracle FLEXCUBE Universal Banking | =12.4 | |
| Oracle FLEXCUBE Universal Banking | =14.5 | |
| Oracle Healthcare Data Repository | =8.1.0 | |
| oracle insurance policy administration | =11.0.2 | |
| oracle insurance policy administration | =11.1.0 | |
| oracle insurance policy administration | =11.2.8 | |
| oracle insurance policy administration | =11.3.0 | |
| oracle insurance policy administration | =11.3.1 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| oracle primavera gateway | >=17.12.0<=17.12.11 | |
| oracle primavera gateway | >=18.8.0<=18.8.12 | |
| oracle primavera gateway | >=19.12.0<=19.12.11 | |
| oracle primavera gateway | >=20.12.0<=20.12.7 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
| Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Sun iPlanet Messaging Server | =8.1 | |
| NetApp Active IQ Unified Manager | ||
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| netapp active iq unified manager windows | ||
| NetApp OnCommand Insight |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-36090 https://nvd.nist.gov/vuln/detail/CVE-2021-36090 http://www.openwall.com/lists/oss-security/2021/07/13/4 https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1981909
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2022:5555
- https://access.redhat.com/security/cve/cve-2021-36090
- https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
- https://commons.apache.org/proper/commons-compress/security-reports.html
- http://www.openwall.com/lists/oss-security/2021/07/13/4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981911
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981910
- http://www.openwall.com/lists/oss-security/2021/07/13/6
- https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/205310
- https://www.ibm.com/support/pages/node/6562263 (Advisory)
- https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3E
- https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2021-36090?
CVE-2021-36090 is classified as a medium severity vulnerability due to its potential for causing denial of service through excessive memory allocation.
How do I fix CVE-2021-36090?
To fix CVE-2021-36090, update the affected software to version 1.21 or higher for apache-commons-compress.
What types of software are affected by CVE-2021-36090?
CVE-2021-36090 affects various versions of apache-commons-compress, as well as several Oracle products and IBM Cloud Pak System.
What is the impact of exploiting CVE-2021-36090?
Exploiting CVE-2021-36090 can result in a denial of service condition by causing an out-of-memory error on the affected systems.
Is CVE-2021-36090 publicly disclosed?
Yes, CVE-2021-36090 has been publicly disclosed and documented in various security reports.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-36090
- agent/software-canonical-lookup
- agent/description
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ibm
- canonical/ibm cloud pak system
- version/ibm cloud pak system/v2.3.0 - v2.3.3.3 interim fix 1
- vendor/apache
- canonical/apache commons compress
- version/apache commons compress/1.0
- vendor/oracle
- canonical/oracle banking apis
- version/oracle banking apis/18.1
- version/oracle banking apis/18.3
- version/oracle banking apis/19.1
- version/oracle banking apis/19.2
- version/oracle banking apis/20.1
- version/oracle banking apis/21.1
- canonical/oracle banking digital experience
- version/oracle banking digital experience/18.1
- version/oracle banking digital experience/18.3
- version/oracle banking digital experience/19.1
- version/oracle banking digital experience/19.2
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle banking enterprise default management
- version/oracle banking enterprise default management/2.7.0
- canonical/oracle banking party management
- version/oracle banking party management/2.7.0
- canonical/oracle banking payments
- version/oracle banking payments/14.5
- canonical/oracle banking platform
- version/oracle banking platform/2.6.2
- version/oracle banking platform/2.7.1
- version/oracle banking platform/2.9.0
- version/oracle banking platform/2.12.0
- canonical/oracle banking trade finance process management
- version/oracle banking trade finance process management/14.5
- canonical/oracle banking treasury management
- version/oracle banking treasury management/14.5
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle communications billing and revenue management
- version/oracle communications billing and revenue management/12.0.0.4
- canonical/oracle communications cloud native core automated test suite
- version/oracle communications cloud native core automated test suite/1.8.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0
- canonical/oracle communications cloud native core unified data repository
- version/oracle communications cloud native core unified data repository/1.14.0
- canonical/oracle communications diameter intelligence hub
- version/oracle communications diameter intelligence hub/8.0.0
- version/oracle communications diameter intelligence hub/8.2.3
- canonical/oracle communications element manager
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.4.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.2.0
- version/oracle communications session report manager/8.2.5.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.5.0
- canonical/oracle communications unified inventory management
- version/oracle communications unified inventory management/7.4.0
- version/oracle communications unified inventory management/7.4.1
- version/oracle communications unified inventory management/7.4.2
- version/oracle communications unified inventory management/7.5.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6
- version/oracle financial services analytical applications infrastructure/8.1.1
- canonical/oracle financial services crime and compliance management studio
- version/oracle financial services crime and compliance management studio/8.0.8.2.0
- version/oracle financial services crime and compliance management studio/8.0.8.3.0
- canonical/oracle financial services enterprise case management
- version/oracle financial services enterprise case management/8.0.7.2.0
- version/oracle financial services enterprise case management/8.0.8.1.0
- canonical/oracle flexcube universal banking
- version/oracle flexcube universal banking/14.0.0
- version/oracle flexcube universal banking/14.3.0
- version/oracle flexcube universal banking/12.4
- version/oracle flexcube universal banking/14.5
- canonical/oracle healthcare data repository
- version/oracle healthcare data repository/8.1.0
- canonical/oracle insurance policy administration
- version/oracle insurance policy administration/11.0.2
- version/oracle insurance policy administration/11.1.0
- version/oracle insurance policy administration/11.2.8
- version/oracle insurance policy administration/11.3.0
- version/oracle insurance policy administration/11.3.1
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.11
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.12
- version/oracle primavera gateway/19.12.0
- version/oracle primavera gateway/19.12.11
- version/oracle primavera gateway/20.12.0
- version/oracle primavera gateway/20.12.7
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- version/oracle utilities testing accelerator/6.0.0.2.2
- version/oracle utilities testing accelerator/6.0.0.3.1
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/sun iplanet messaging server
- version/sun iplanet messaging server/8.1
- vendor/netapp
- canonical/netapp active iq unified manager
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand insight