Vulnerability Description
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ant | >= 1.9.0, < 1.9.16 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.1.0 |
| Oracle | Communications Order And Service Management | 7.3 |
| Oracle | Communications Unified Inventory Management | 7.3.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.1 |
| Oracle | Health Sciences Information Manager | >= 3.0.1, <= 3.0.5 |
| Oracle | Insurance Policy Administration | >= 11.0, <= 11.3.1 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Product Lifecycle Analytics | 3.6.1 |
| Oracle | Real-Time Decision Server | 3.2.0.0 |
| Oracle | Retail Advanced Inventory Planning | 14.1 |
| Oracle | Retail Back Office | 14.0 |
Related Weaknesses (CWE)
References
- https://ant.apache.org/security.htmlPatchVendor Advisory
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750
- https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd81
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d5Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e
- https://security.netapp.com/advisory/ntap-20210819-0007/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://ant.apache.org/security.htmlPatchVendor Advisory
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750
- https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd81
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132
FAQ
What is CVE-2021-36374?
CVE-2021-36374 is a vulnerability with a CVSS score of 5.5 (MEDIUM). When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. Thi...
How severe is CVE-2021-36374?
CVE-2021-36374 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36374?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Ant, Oracle Agile Engineering Data Management, Oracle Agile Plm, Oracle Banking Trade Finance, Oracle Banking Treasury Management.