Bug 2264989 (CVE-2024-26308) - CVE-2024-26308 commons-compress: OutOfMemoryError unpacking broken Pack200 file
Summary: CVE-2024-26308 commons-compress: OutOfMemoryError unpacking broken Pack200 file
Keywords:
Status: NEW
Alias: CVE-2024-26308
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2264987
TreeView+ depends on / blocked
 
Reported: 2024-02-19 20:32 UTC by Patrick Del Bello
Modified: 2024-07-20 08:28 UTC (History)
129 users (show)

Fixed In Version: Apache Commons Compress 1.26
Doc Type: ---
Doc Text:
An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue can lead to an out-of-memory error.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1509 0 None None None 2024-03-26 11:15:55 UTC
Red Hat Product Errata RHSA-2024:1662 0 None None None 2024-04-03 10:53:37 UTC
Red Hat Product Errata RHSA-2024:1797 0 None None None 2024-04-22 10:59:38 UTC
Red Hat Product Errata RHSA-2024:1923 0 None None None 2024-04-18 11:43:37 UTC
Red Hat Product Errata RHSA-2024:2833 0 None None None 2024-05-14 09:08:06 UTC
Red Hat Product Errata RHSA-2024:3989 0 None None None 2024-06-20 00:35:31 UTC
Red Hat Product Errata RHSA-2024:4057 0 None None None 2024-06-24 01:38:48 UTC

Description Patrick Del Bello 2024-02-19 20:32:25 UTC
CVE-2024-25710 (https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf):

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

CVE-2024-26308 (https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg):

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

Please bump to 1.26.0.

Comment 8 errata-xmlrpc 2024-03-26 11:15:51 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid

Via RHSA-2024:1509 https://access.redhat.com/errata/RHSA-2024:1509

Comment 9 errata-xmlrpc 2024-04-03 10:53:31 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662

Comment 10 errata-xmlrpc 2024-04-18 11:43:32 UTC
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2024:1923 https://access.redhat.com/errata/RHSA-2024:1923

Comment 11 errata-xmlrpc 2024-04-22 10:59:34 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9.SP2

Via RHSA-2024:1797 https://access.redhat.com/errata/RHSA-2024:1797

Comment 15 errata-xmlrpc 2024-05-14 09:08:00 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.11 GA

Via RHSA-2024:2833 https://access.redhat.com/errata/RHSA-2024:2833

Comment 16 errata-xmlrpc 2024-06-20 00:35:22 UTC
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989

Comment 17 errata-xmlrpc 2024-06-24 01:38:41 UTC
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4057 https://access.redhat.com/errata/RHSA-2024:4057


Note You need to log in before you can comment on or make changes to this bug.