Vulnerability Description
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.6, <= 1.20 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Oncommand Insight | - |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
| Oracle | Healthcare Data Repository | 8.1.0 |
| Oracle | Insurance Policy Administration | 11.0.2 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/07/13/2Mailing ListThird Party Advisory
- https://commons.apache.org/proper/commons-compress/security-reports.htmlVendor Advisory
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b2334
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c5
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef659795108319
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef1
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed9
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958c
- https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821
- https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f3Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-35516?
CVE-2021-35516 is a vulnerability with a CVSS score of 7.5 (HIGH). When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mou...
How severe is CVE-2021-35516?
CVE-2021-35516 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35516?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Netapp Active Iq Unified Manager, Netapp Oncommand Insight, Oracle Banking Digital Experience, Oracle Banking Enterprise Default Management.