CVE-2021-35517

Summary

CVE	CVE-2021-35517
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-13 08:15:00 UTC
Updated	2023-11-07 03:36:00 UTC
Description	When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Commons Compress	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Oncommand Insight	-	All	All	All
Application	Oracle	Banking Apis	19.1	All	All	All
Application	Oracle	Banking Apis	19.2	All	All	All
Application	Oracle	Banking Apis	20.1	All	All	All
Application	Oracle	Banking Apis	21.1	All	All	All
Application	Oracle	Banking Apis	All	All	All	All
Application	Oracle	Banking Digital Experience	19.1	All	All	All
Application	Oracle	Banking Digital Experience	19.2	All	All	All
Application	Oracle	Banking Digital Experience	20.1	All	All	All
Application	Oracle	Banking Digital Experience	21.1	All	All	All
Application	Oracle	Banking Digital Experience	All	All	All	All
Application	Oracle	Banking Enterprise Default Management	2.7.0	All	All	All
Application	Oracle	Banking Party Management	2.7.0	All	All	All
Application	Oracle	Banking Payments	14.5	All	All	All
Application	Oracle	Banking Trade Finance	14.5	All	All	All
Application	Oracle	Banking Treasury Management	14.5	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.3.0	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.4.0	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.4	All	All	All
Application	Oracle	Communications Cloud Native Core Service Communication Proxy	1.14.0	All	All	All
Application	Oracle	Communications Cloud Native Core Unified Data Repository	1.14.0	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Operating System	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.7.2.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.8.1.0	All	All	All
Application	Oracle	Flexcube Universal Banking	12.4	All	All	All
Application	Oracle	Flexcube Universal Banking	14.5	All	All	All
Application	Oracle	Flexcube Universal Banking	All	All	All	All
Application	Oracle	Healthcare Data Repository	8.1.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.0.2	All	All	All
Application	Oracle	Insurance Policy Administration	11.1.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.2.8	All	All	All
Application	Oracle	Insurance Policy Administration	11.3.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.3.1	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.1.1	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.2.2	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.3.1	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)		lists.apache.org
[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
oss-security - CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability	MLIST	www.openwall.com
July 2021 Apache Commons Compress Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
[announce] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)		lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Pony Mail!	MISC	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Commons Compress – Commons Compress Security Reports	MISC	commons.apache.org
oss-security - CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability	MLIST	www.openwall.com
[announce] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[ant-user] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability		lists.apache.org
[flink-issues] 20210908 [GitHub] [flink] MartijnVisser opened a new pull request #17194: [FLINK-24034] Upgrade commons-compress to 1.21 and other apache.commons updates		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: This issue was discovered by OSS Fuzz.

Legacy QID Mappings

184964 Debian Security Update for libcommons-compress-java (CVE-2021-35517)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
750923 OpenSUSE Security Update for apache-commons-compress (openSUSE-SU-2021:2612-1)
750938 OpenSUSE Security Update for apache-commons-compress (openSUSE-SU-2021:1115-1)
980267 Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-xqfj-vm6h-2x34)