Vulnerability Description
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.1, <= 1.20 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Oncommand Insight | - |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Payments | 14.5 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/07/13/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/5Mailing ListThird Party Advisory
- https://commons.apache.org/proper/commons-compress/security-reports.htmlVendor Advisory
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7b
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e
- https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b2334
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c5
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef659795108319
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef1
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed9
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede
FAQ
What is CVE-2021-35517?
CVE-2021-35517 is a vulnerability with a CVSS score of 7.5 (HIGH). When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mo...
How severe is CVE-2021-35517?
CVE-2021-35517 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35517?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Netapp Active Iq Unified Manager, Netapp Oncommand Insight, Oracle Banking Apis, Oracle Banking Digital Experience.