Vulnerability Description
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ant | >= 1.9.0, < 1.9.16 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Order And Service Management | 7.3 |
| Oracle | Communications Unified Inventory Management | 7.3.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.1 |
| Oracle | Insurance Policy Administration | >= 11.0, <= 11.3.1 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Real-Time Decision Server | 3.2.0.0 |
| Oracle | Retail Advanced Inventory Planning | 14.1 |
| Oracle | Retail Back Office | 14.0 |
| Oracle | Retail Bulk Data Integration | 16.0.3.0 |
| Oracle | Retail Central Office | 14.0 |
| Oracle | Retail Eftlink | 19.0.1 |
| Oracle | Retail Extract Transform And Load | 13.2.8 |
Related Weaknesses (CWE)
References
- https://ant.apache.org/security.htmlPatchVendor Advisory
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750
- https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd81
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73eMailing ListVendor Advisory
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132
- https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e
- https://security.netapp.com/advisory/ntap-20210819-0007/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://ant.apache.org/security.htmlPatchVendor Advisory
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750
- https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd81
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73eMailing ListVendor Advisory
FAQ
What is CVE-2021-36373?
CVE-2021-36373 is a vulnerability with a CVSS score of 5.5 (MEDIUM). When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used t...
How severe is CVE-2021-36373?
CVE-2021-36373 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36373?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Ant, Oracle Agile Plm, Oracle Banking Trade Finance, Oracle Banking Treasury Management, Oracle Communications Cloud Native Core Automated Test Suite.