CVE-2021-35516

Summary

CVE	CVE-2021-35516
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-13 08:15:00 UTC
Updated	2023-11-07 03:36:00 UTC
Description	When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Commons Compress	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Oncommand Insight	-	All	All	All
Application	Oracle	Banking Digital Experience	19.1	All	All	All
Application	Oracle	Banking Digital Experience	19.2	All	All	All
Application	Oracle	Banking Digital Experience	20.1	All	All	All
Application	Oracle	Banking Digital Experience	21.1	All	All	All
Application	Oracle	Banking Digital Experience	All	All	All	All
Application	Oracle	Banking Enterprise Default Management	2.7.0	All	All	All
Application	Oracle	Banking Party Management	2.7.0	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.3.0	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.4.0	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.4	All	All	All
Application	Oracle	Communications Cloud Native Core Automated Test Suite	1.8.0	All	All	All
Application	Oracle	Communications Cloud Native Core Service Communication Proxy	1.14.0	All	All	All
Application	Oracle	Communications Cloud Native Core Unified Data Repository	1.14.0	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Operating System	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.7.2.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.8.1.0	All	All	All
Application	Oracle	Flexcube Universal Banking	12.4.0	All	All	All
Application	Oracle	Flexcube Universal Banking	14.5	All	All	All
Application	Oracle	Flexcube Universal Banking	All	All	All	All
Application	Oracle	Healthcare Data Repository	8.1.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.0.2	All	All	All
Application	Oracle	Insurance Policy Administration	11.1.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.2.8	All	All	All
Application	Oracle	Insurance Policy Administration	11.3.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.3.1	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.1.1	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.2.2	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.3.1	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)		lists.apache.org
[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MISC	lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
July 2021 Apache Commons Compress Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)		lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
oss-security - CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability	MLIST	www.openwall.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Commons Compress – Commons Compress Security Reports	MISC	commons.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[announce] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: This issue was first reported to the project's issue tracker as COMPRESS-542 by Robin Schimpf. Later OSS Fuzz detected ways to exploit this issue which managed to escape the initial attempt to fix it.

Legacy QID Mappings

183161 Debian Security Update for libcommons-compress-java (CVE-2021-35516)
750923 OpenSUSE Security Update for apache-commons-compress (openSUSE-SU-2021:2612-1)
750938 OpenSUSE Security Update for apache-commons-compress (openSUSE-SU-2021:1115-1)
980266 Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-crv7-7245-f45f)