Vulnerability Description
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.0, < 1.21 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Payments | 14.5 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Element Manager | >= 8.2.0, <= 8.2.4.0 |
| Oracle | Communications Session Report Manager | >= 8.2.0, <= 8.2.5.0 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5.0 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2021/07/13/4Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/6Mailing ListThird Party Advisory
- https://commons.apache.org/proper/commons-compress/security-reports.htmlVendor Advisory
- https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c277
- https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d19
- https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc9
- https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3
- https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112b
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec
- https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0
- https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16d
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b2334
- https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e65
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c5
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef659795108319
FAQ
What is CVE-2021-36090?
CVE-2021-36090 is a vulnerability with a CVSS score of 7.5 (HIGH). When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mo...
How severe is CVE-2021-36090?
CVE-2021-36090 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36090?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Oracle Banking Apis, Oracle Banking Digital Experience, Oracle Banking Enterprise Default Management, Oracle Banking Party Management.