Bug 1618573 (CVE-2018-11771) - CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip
Summary: CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-11771
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1618574 1618575 1625463 1625464 1640713 1640717 1640719 1651412
Blocks: 1618576
TreeView+ depends on / blocked
 
Reported: 2018-08-17 02:22 UTC by Sam Fowler
Modified: 2022-07-04 06:03 UTC (History)
83 users (show)

Fixed In Version: apache-commons-compress 1.18
Clone Of:
Environment:
Last Closed: 2020-03-26 16:31:57 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:47:24 UTC

Description Sam Fowler 2018-08-17 02:22:45 UTC 
Apache Commons Compress versions 1.7 to 1.17 are vulnerable to a denial of service attack via crafted ZIP archive. When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached.  When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.


External Reference:

https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E
Comment 1 Sam Fowler 2018-08-17 02:23:02 UTC 
Created apache-commons-compress tracking bugs for this issue:

Affects: fedora-all [bug 1618574]
Comment 3 Doran Moppert 2018-08-21 08:18:40 UTC 
Upstream ticket:

https://issues.apache.org/jira/browse/COMPRESS-463

Upstream patch:

https://github.com/apache/commons-compress/commit/a41ce689

Prior patches introducing tests:

https://github.com/apache/commons-compress/commit/0fe6ae31
https://github.com/apache/commons-compress/commit/64ed6dde
Comment 8 Joshua Padman 2019-05-15 22:49:39 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss Operations Network 3

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Jason Shepherd 2019-08-08 05:48:13 UTC 
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
Comment 10 Joshua Padman 2019-08-12 01:37:32 UTC 
This vulnerability is out of security support scope for the following products:
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/node/4027141 for more details.
Comment 12 errata-xmlrpc 2020-03-26 15:47:19 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 13 Product Security DevOps Team 2020-03-26 16:31:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-11771
Comment 14 Yadnyawalk Tale 2020-04-21 09:33:12 UTC 
Satellite 6.0 was shipping lucene4-contrib which has commons-compress embedded. It is EOL on February 21, 2018.
~~~
[ytale@cordelia manifests]$ cat manifest-eol.txt | grep satellite | grep commons-compres
manifest-eol.txt:14677:rhn_satellite:6.0/lucene4-contrib-4.6.1-1.el6sat.noarch.rpm/Commons Compress/1.4.1/commons-compress-1.4.1.jar
~~~

Ref - https://access.redhat.com/support/policy/updates/satellite/
Note You need to log in before you can comment on or make changes to this bug.