CVE-2021-36373
Summary
| CVE | CVE-2021-36373 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-07-14 07:15:00 UTC |
| Updated | 2023-11-07 03:36:00 UTC |
| Description | When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Ant | All | All | All | All |
| Application | Oracle | Agile Plm | 9.3.6 | All | All | All |
| Application | Oracle | Banking Trade Finance | 14.5 | All | All | All |
| Application | Oracle | Banking Treasury Management | 14.5 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 | All | All | All |
| Application | Oracle | Communications Order And Service Management | 7.3 | All | All | All |
| Application | Oracle | Communications Order And Service Management | 7.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.3.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.1 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.2 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.5.0 | All | All | All |
| Application | Oracle | Enterprise Repository | 11.1.1.7.0 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Insurance Policy Administration | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Unifier | 18.8 | All | All | All |
| Application | Oracle | Primavera Unifier | 19.12 | All | All | All |
| Application | Oracle | Primavera Unifier | 20.12 | All | All | All |
| Application | Oracle | Primavera Unifier | All | All | All | All |
| Application | Oracle | Real-time Decision Server | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Real-time Decision Server | 3.2.0.0 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 14.1 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 15.0 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 16.0 | All | All | All |
| Application | Oracle | Retail Back Office | 14.0 | All | All | All |
| Application | Oracle | Retail Back Office | 14.1 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 19.0.1 | All | All | All |
| Application | Oracle | Retail Central Office | 14.0 | All | All | All |
| Application | Oracle | Retail Central Office | 14.1 | All | All | All |
| Application | Oracle | Retail Eftlink | 19.0.1 | All | All | All |
| Application | Oracle | Retail Eftlink | 20.0.1 | All | All | All |
| Application | Oracle | Retail Extract Transform And Load | 13.2.8 | All | All | All |
| Application | Oracle | Retail Financial Integration | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Financial Integration | 15.0.4.0 | All | All | All |
| Application | Oracle | Retail Financial Integration | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0.4.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 19.0.1.0 | All | All | All |
| Application | Oracle | Retail Invoice Matching | 16.0.3 | All | All | All |
| Application | Oracle | Retail Merchandising System | 19.0.1 | All | All | All |
| Application | Oracle | Retail Point-of-service | 14.0 | All | All | All |
| Application | Oracle | Retail Point-of-service | 14.1 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 14.1.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 15.0.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Service Backbone | 15.0.4.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 19.0.1.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 14.1 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 15.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 16.0 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 20.0.1 | All | All | All |
| Application | Oracle | Timesten In-memory Database | All | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | All | All | All | All |
| Application | Oracle | Utilities Testing Accelerator | 6.0.0.1.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e1... | MISC | lists.apache.org | |
| Apache Ant - Apache Ant Security Reports | MISC | ant.apache.org | |
| [groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374) | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| July 2021 Apache Ant Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| [groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374) | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| [groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374) | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in Apache Commons Compress which has been detected by OSS Fuzz.
Legacy QID Mappings
- 183912 Debian Security Update for ant (CVE-2021-36373)
- 296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
- 376123 IBM Installation Manager Multiple Vulnerabilities
- 501805 Alpine Linux Security Update for apache-ant
- 504580 Alpine Linux Security Update for apache-ant
- 670695 EulerOS Security Update for ant (EulerOS-SA-2021-2453)
- 670958 EulerOS Security Update for ant (EulerOS-SA-2021-2651)
- 671660 EulerOS Security Update for ant (EulerOS-SA-2022-1703)
- 752076 SUSE Enterprise Linux Security Update for ant (SUSE-SU-2022:1417-1)
- 753206 SUSE Enterprise Linux Security Update for ant (SUSE-SU-2022:1418-1)
- 900240 CBL-Mariner Linux Security Update for ant 1.10.9
- 903364 Common Base Linux Mariner (CBL-Mariner) Security Update for ant (4437)
- 980363 Java (maven) Security Update for org.apache.ant:ant (GHSA-q5r4-cfpx-h6fh)