Bug 1981909 (CVE-2021-36090) - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
Summary: CVE-2021-36090 apache-commons-compress: excessive memory allocation when read...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-36090
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1981910 1981911 1983232 1983233 1983234 1983235 1983236 1983237 1992141
Blocks: 1981912
TreeView+ depends on / blocked
 
Reported: 2021-07-13 17:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-08-30 03:35 UTC (History)
34 users (show)

Fixed In Version: apache-commons-compress-1.21
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in apache-commons-compress. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress' zip package. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2022-08-30 03:35:01 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:21:11 UTC
Red Hat Product Errata RHSA-2022:5555 0 None None None 2022-07-14 12:54:22 UTC

Description Guilherme de Almeida Suckevicz 2021-07-13 17:30:26 UTC
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

References:
https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
https://commons.apache.org/proper/commons-compress/security-reports.html
http://www.openwall.com/lists/oss-security/2021/07/13/4

Comment 1 Guilherme de Almeida Suckevicz 2021-07-13 17:30:52 UTC
Created apache-commons-compress tracking bugs for this issue:

Affects: fedora-all [bug 1981911]


Created javapackages-bootstrap:202001/apache-commons-compress tracking bugs for this issue:

Affects: fedora-all [bug 1981910]

Comment 3 Garrett Tucker 2021-07-16 21:59:29 UTC
After analysis, a Denial of Service attack is possible via excessive memory allocated caused by a crafted zip archive. An ongoing method of allocating an array then trying to fill it, combined with an insufficient check for symbolic link length led to the ability to cause excessive memory allocation. Thus a specially crafted archive could force excessive memory allocation impacting availability of a system.

This flaw has been fixed in Version 1.21

Comment 12 errata-xmlrpc 2022-07-07 14:21:08 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 13 errata-xmlrpc 2022-07-14 12:54:20 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555

Comment 17 Product Security DevOps Team 2022-08-30 03:34:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-36090


Note You need to log in before you can comment on or make changes to this bug.