Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-35517

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Published

2021-07-13T08:15:07.220

Last Modified

2024-11-21T06:12:25.653

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-130
Type: Primary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	commons_compress	≤ 1.20	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	oncommand_insight	-	Yes
Application	oracle	banking_apis	≤ 18.3	Yes
Application	oracle	banking_apis	19.1	Yes
Application	oracle	banking_apis	19.2	Yes
Application	oracle	banking_apis	20.1	Yes
Application	oracle	banking_apis	21.1	Yes
Application	oracle	banking_digital_experience	≤ 18.3	Yes
Application	oracle	banking_digital_experience	19.1	Yes
Application	oracle	banking_digital_experience	19.2	Yes
Application	oracle	banking_digital_experience	20.1	Yes
Application	oracle	banking_digital_experience	21.1	Yes
Application	oracle	banking_enterprise_default_management	2.7.0	Yes
Application	oracle	banking_party_management	2.7.0	Yes
Application	oracle	banking_payments	14.5	Yes
Application	oracle	banking_trade_finance	14.5	Yes
Application	oracle	banking_treasury_management	14.5	Yes
Application	oracle	business_process_management_suite	12.2.1.3.0	Yes
Application	oracle	business_process_management_suite	12.2.1.4.0	Yes
Application	oracle	commerce_guided_search	11.3.2	Yes
Application	oracle	communications_billing_and_revenue_management	12.0.0.4	Yes
Application	oracle	communications_cloud_native_core_service_communication_proxy	1.14.0	Yes
Application	oracle	communications_cloud_native_core_unified_data_repository	1.14.0	Yes
Application	oracle	communications_diameter_intelligence_hub	≤ 8.2.3	Yes
Application	oracle	communications_session_route_manager	≤ 8.2.5	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.2.0	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.3.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.7.2.0	Yes
Application	oracle	financial_services_enterprise_case_management	8.0.8.1.0	Yes
Application	oracle	flexcube_universal_banking	≤ 14.3.0	Yes
Application	oracle	flexcube_universal_banking	12.4	Yes
Application	oracle	flexcube_universal_banking	14.5	Yes
Application	oracle	healthcare_data_repository	8.1.0	Yes
Application	oracle	insurance_policy_administration	11.0.2	Yes
Application	oracle	insurance_policy_administration	11.1.0	Yes
Application	oracle	insurance_policy_administration	11.2.8	Yes
Application	oracle	insurance_policy_administration	11.3.0	Yes
Application	oracle	insurance_policy_administration	11.3.1	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.1.1	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.2.2	Yes
Application	oracle	utilities_testing_accelerator	6.0.0.3.1	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Operating System	oracle	communications_messaging_server	8.1	Yes

References

http://www.openwall.com/lists/oss-security/2021/07/13/3 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/07/13/5 Mailing List, Third Party Advisory ([email protected])
https://commons.apache.org/proper/commons-compress/security-reports.html Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E Mailing List, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E ([email protected])
https://security.netapp.com/advisory/ntap-20211022-0001/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/07/13/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/07/13/5 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://commons.apache.org/proper/commons-compress/security-reports.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211022-0001/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)