Vulnerability Description
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.6, <= 1.20 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Oncommand Insight | - |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Payments | 14.5 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/07/13/1Mailing ListThird Party Advisory
- https://commons.apache.org/proper/commons-compress/security-reports.htmlVendor Advisory
- https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c8Vendor Advisory
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b2334
- https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e65
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c5
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef659795108319
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef1
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed9
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede
- https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb
- https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958c
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd0067
FAQ
What is CVE-2021-35515?
CVE-2021-35515 is a vulnerability with a CVSS score of 7.5 (HIGH). When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack agai...
How severe is CVE-2021-35515?
CVE-2021-35515 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35515?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Netapp Active Iq Unified Manager, Netapp Oncommand Insight, Oracle Banking Digital Experience, Oracle Banking Enterprise Default Management.