CVE-2021-35515

Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Cuando se lee un archivo 7Z especialmente diseñado, la construcción de la lista de códecs que descomprimen una entrada puede resultar en un bucle infinito. Esto podría ser usado para montar un ataque de denegación de servicio contra los servicios que usan el paquete sevenz de Compress

A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This flaw allows the mounting of a denial of service attack against services that use Compress' SevenZ package. The highest threat from this vulnerability is to system availability.

*Credits: This issue was discovered by OSS Fuzz.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-06-27 CVE Reserved
2021-07-13 CVE Published
2024-03-28 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-834: Excessive Iteration
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (23)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/07/13/1	Mailing List
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20211022-0001	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujul2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://commons.apache.org/proper/commons-compress/security-reports.html	2023-11-07
https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-35515	2022-07-14
https://bugzilla.redhat.com/show_bug.cgi?id=1981895	2022-07-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Commons Compress Search vendor "Apache" for product "Commons Compress"				>= 1.6 <= 1.20 Search vendor "Apache" for product "Commons Compress" and version " >= 1.6 <= 1.20"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		linux		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected
Netapp Search vendor "Netapp"		Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight"				-		-		Affected
Oracle Search vendor "Oracle"		Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience"				>= 18.1 <= 18.3 Search vendor "Oracle" for product "Banking Digital Experience" and version " >= 18.1 <= 18.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience"				19.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience"				20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience"				21.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.7.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Party Management Search vendor "Oracle" for product "Banking Party Management"				2.7.0 Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Payments Search vendor "Oracle" for product "Banking Payments"				14.5 Search vendor "Oracle" for product "Banking Payments" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Search vendor "Oracle" for product "Banking Trade Finance"				14.5 Search vendor "Oracle" for product "Banking Trade Finance" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management"				14.5 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite"				12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Commerce Guided Search Search vendor "Oracle" for product "Commerce Guided Search"				11.3.2 Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Billing And Revenue Management Search vendor "Oracle" for product "Communications Billing And Revenue Management"				12.0.0.4 Search vendor "Oracle" for product "Communications Billing And Revenue Management" and version "12.0.0.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite"				1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.8.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				>= 8.0.0 <= 8.2.3 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.0.0 <= 8.2.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				>= 8.0.0 <= 8.2.5 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.5"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"				8.0.8.2.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Crime And Compliance Management Studio Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio"				8.0.8.3.0 Search vendor "Oracle" for product "Financial Services Crime And Compliance Management Studio" and version "8.0.8.3.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.7.2.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.7.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.0.8.1.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.0.8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				>= 14.0.0 <= 14.3.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version " >= 14.0.0 <= 14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				12.4.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version "12.4.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				14.5.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Healthcare Data Repository Search vendor "Oracle" for product "Healthcare Data Repository"				8.1.0 Search vendor "Oracle" for product "Healthcare Data Repository" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				11.0.2 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.0.2"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				11.1.0 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.1.0"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				11.2.8 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.2.8"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				11.3.0 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.3.0"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				11.3.1 Search vendor "Oracle" for product "Insurance Policy Administration" and version "11.3.1"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.1.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.1.1"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.2.2 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.2.2"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.3.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.3.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected