CVE-2021-36090

Summary

CVE	CVE-2021-36090
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-13 08:15:00 UTC
Updated	2023-11-07 03:36:00 UTC
Description	When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Commons Compress	All	All	All	All
Application	Apache	Commons Compress	All	All	All	All
Application	Apache	Drill	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Oncommand Insight	-	All	All	All
Application	Oracle	Banking Apis	19.1	All	All	All
Application	Oracle	Banking Apis	19.2	All	All	All
Application	Oracle	Banking Apis	20.1	All	All	All
Application	Oracle	Banking Apis	21.1	All	All	All
Application	Oracle	Banking Apis	All	All	All	All
Application	Oracle	Banking Digital Experience	19.1	All	All	All
Application	Oracle	Banking Digital Experience	19.2	All	All	All
Application	Oracle	Banking Digital Experience	20.1	All	All	All
Application	Oracle	Banking Digital Experience	21.1	All	All	All
Application	Oracle	Banking Digital Experience	All	All	All	All
Application	Oracle	Banking Enterprise Default Management	2.7.0	All	All	All
Application	Oracle	Banking Party Management	2.7.0	All	All	All
Application	Oracle	Banking Payments	14.5	All	All	All
Application	Oracle	Banking Platform	2.12.0	All	All	All
Application	Oracle	Banking Platform	2.6.2	All	All	All
Application	Oracle	Banking Platform	2.7.1	All	All	All
Application	Oracle	Banking Platform	2.9.0	All	All	All
Application	Oracle	Banking Trade Finance	14.5	All	All	All
Application	Oracle	Banking Treasury Management	14.5	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.3.0	All	All	All
Application	Oracle	Business Process Management Suite	12.2.1.4.0	All	All	All
Application	Oracle	Commerce Guided Search	11.3.2	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.4	All	All	All
Application	Oracle	Communications Cloud Native Core Automated Test Suite	1.8.0	All	All	All
Application	Oracle	Communications Cloud Native Core Service Communication Proxy	1.14.0	All	All	All
Application	Oracle	Communications Cloud Native Core Unified Data Repository	1.14.0	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	8.2.3	All	All	All
Application	Oracle	Communications Diameter Intelligence Hub	All	All	All	All
Application	Oracle	Communications Element Manager	All	All	All	All
Operating System	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.4.0	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.4.1	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.4.2	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.5.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0	All	All	All
Application	Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.3.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	All	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.7.2.0	All	All	All
Application	Oracle	Financial Services Enterprise Case Management	8.0.8.1.0	All	All	All
Application	Oracle	Flexcube Universal Banking	12.4	All	All	All
Application	Oracle	Flexcube Universal Banking	14.5	All	All	All
Application	Oracle	Flexcube Universal Banking	All	All	All	All
Application	Oracle	Healthcare Data Repository	8.1.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.0.2	All	All	All
Application	Oracle	Insurance Policy Administration	11.1.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.2.8	All	All	All
Application	Oracle	Insurance Policy Administration	11.3.0	All	All	All
Application	Oracle	Insurance Policy Administration	11.3.1	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.1.1	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.2.2	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.3.1	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All

References

Reference	Source	Link	Tags
[drill-dev] 20210804 [GitHub] [drill] luocooong opened a new pull request #2285: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
oss-security - CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability	MLIST	www.openwall.com
Pony Mail!	MLIST	lists.apache.org
July 2021 Apache Commons Compress Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[drill-dev] 20210805 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
Pony Mail!	MISC	lists.apache.org
[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
[drill-issues] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090		lists.apache.org
[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090		lists.apache.org
oss-security - CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability	MLIST	www.openwall.com
[drill-dev] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
[drill-dev] 20210804 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[drill-commits] 20210804 [drill] branch master updated: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Commons Compress – Commons Compress Security Reports	MISC	commons.apache.org
Pony Mail!	MLIST	lists.apache.org
[announce] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability		lists.apache.org
[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)		lists.apache.org
[tomcat-dev] 20210811 [GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20		lists.apache.org
[announce] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[drill-issues] 20210804 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[james-notifications] 20210714 [GitHub] [james-project] chibenwa opened a new pull request #537: [UPGRADE] Security upgrade: common-compress to 1.21		lists.apache.org
[ant-user] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[drill-issues] 20210805 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: This issue was discovered by OSS Fuzz.

Legacy QID Mappings

150676 Oracle WebLogic Server Multiple Vulnerabilities (APR-2023)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
375970 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUOCT2021)
376263 IBM MQ Multiple Vulnerabilities (6527792)
376367 Oracle Essbase Administration Services Security Update (CPUJAN2022)
750923 OpenSUSE Security Update for apache-commons-compress (openSUSE-SU-2021:2612-1)
750938 OpenSUSE Security Update for apache-commons-compress (openSUSE-SU-2021:1115-1)
980268 Java (maven) Security Update for org.apache.commons:commons-compress (GHSA-mc84-pj99-q6hh)