Vulnerability Details CVE-2021-35517
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.7%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://www.openwall.com/lists/oss-security/2021/07/13/3
- http://www.openwall.com/lists/oss-security/2021/07/13/5
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://www.openwall.com/lists/oss-security/2021/07/13/3
- http://www.openwall.com/lists/oss-security/2021/07/13/5
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2021-35517
-
cpe:2.3:a:apache:commons_compress:1.1
-
cpe:2.3:a:apache:commons_compress:1.10
-
cpe:2.3:a:apache:commons_compress:1.11
-
cpe:2.3:a:apache:commons_compress:1.12
-
cpe:2.3:a:apache:commons_compress:1.13
-
cpe:2.3:a:apache:commons_compress:1.14
-
cpe:2.3:a:apache:commons_compress:1.15
-
cpe:2.3:a:apache:commons_compress:1.16
-
cpe:2.3:a:apache:commons_compress:1.16.1
-
cpe:2.3:a:apache:commons_compress:1.17
-
cpe:2.3:a:apache:commons_compress:1.18
-
cpe:2.3:a:apache:commons_compress:1.19
-
cpe:2.3:a:apache:commons_compress:1.2
-
cpe:2.3:a:apache:commons_compress:1.20
-
cpe:2.3:a:apache:commons_compress:1.3
-
cpe:2.3:a:apache:commons_compress:1.4
-
cpe:2.3:a:apache:commons_compress:1.4.1
-
cpe:2.3:a:apache:commons_compress:1.5
-
cpe:2.3:a:apache:commons_compress:1.6
-
cpe:2.3:a:apache:commons_compress:1.7
-
cpe:2.3:a:apache:commons_compress:1.8
-
cpe:2.3:a:apache:commons_compress:1.8.1
-
cpe:2.3:a:apache:commons_compress:1.9
-
cpe:2.3:a:netapp:active_iq_unified_manager:-
-
cpe:2.3:a:netapp:oncommand_insight:-
-
cpe:2.3:a:oracle:banking_apis:18.1
-
cpe:2.3:a:oracle:banking_apis:18.2
-
cpe:2.3:a:oracle:banking_apis:18.3
-
cpe:2.3:a:oracle:banking_apis:19.1
-
cpe:2.3:a:oracle:banking_apis:19.2
-
cpe:2.3:a:oracle:banking_apis:20.1
-
cpe:2.3:a:oracle:banking_apis:21.1
-
cpe:2.3:a:oracle:banking_digital_experience:18.1
-
cpe:2.3:a:oracle:banking_digital_experience:18.2
-
cpe:2.3:a:oracle:banking_digital_experience:18.3
-
cpe:2.3:a:oracle:banking_digital_experience:19.1
-
cpe:2.3:a:oracle:banking_digital_experience:19.2
-
cpe:2.3:a:oracle:banking_digital_experience:20.1
-
cpe:2.3:a:oracle:banking_digital_experience:21.1
-
cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0
-
cpe:2.3:a:oracle:banking_party_management:2.7.0
-
cpe:2.3:a:oracle:banking_payments:14.5
-
cpe:2.3:a:oracle:banking_trade_finance:14.5
-
cpe:2.3:a:oracle:banking_treasury_management:14.5
-
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
-
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0
-
cpe:2.3:a:oracle:commerce_guided_search:11.3.2
-
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.4
-
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0
-
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0
-
cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.0.0
-
cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.1.0
-
cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.0
-
cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.3
-
cpe:2.3:a:oracle:communications_session_route_manager:8.0.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.1.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.1.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.4
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.4.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.5
-
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0
-
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0
-
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0
-
cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1.0
-
cpe:2.3:a:oracle:flexcube_universal_banking:12.4
-
cpe:2.3:a:oracle:flexcube_universal_banking:14.0.0
-
cpe:2.3:a:oracle:flexcube_universal_banking:14.1.0
-
cpe:2.3:a:oracle:flexcube_universal_banking:14.2.0
-
cpe:2.3:a:oracle:flexcube_universal_banking:14.3.0
-
cpe:2.3:a:oracle:flexcube_universal_banking:14.5
-
cpe:2.3:a:oracle:healthcare_data_repository:8.1.0
-
cpe:2.3:a:oracle:insurance_policy_administration:11.0.2
-
cpe:2.3:a:oracle:insurance_policy_administration:11.1.0
-
cpe:2.3:a:oracle:insurance_policy_administration:11.2.8
-
cpe:2.3:a:oracle:insurance_policy_administration:11.3.0
-
cpe:2.3:a:oracle:insurance_policy_administration:11.3.1
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
-
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59
-
cpe:2.3:a:oracle:primavera_unifier:17.10
-
cpe:2.3:a:oracle:primavera_unifier:17.11
-
cpe:2.3:a:oracle:primavera_unifier:17.12
-
cpe:2.3:a:oracle:primavera_unifier:17.7
-
cpe:2.3:a:oracle:primavera_unifier:17.8
-
cpe:2.3:a:oracle:primavera_unifier:17.9
-
cpe:2.3:a:oracle:primavera_unifier:18.8
-
cpe:2.3:a:oracle:primavera_unifier:19.12
-
cpe:2.3:a:oracle:primavera_unifier:20.12
-
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1
-
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2
-
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1
-
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
-
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0
-
cpe:2.3:o:oracle:communications_messaging_server:8.1