CVE-2021-36374

Apache Ant ZIP, and ZIP based, archive denial of service vulerability

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Cuando se lee un archivo ZIP especialmente diseñado, o un formato derivado, se puede hacer que una compilación de Apache Ant asigne grandes cantidades de memoria que conlleva a un error de falta de memoria, incluso para entradas pequeñas. Esto puede ser usado para interrumpir las compilaciones usando Apache Ant. Los formatos derivados de los archivos ZIP comúnmente usados son, por ejemplo, los archivos JAR y muchos archivos de oficina. Apache Ant versiones anteriores a 1.9.16 y 1.10.11 estaba afectado

*Credits: This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz.

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-07-12 CVE Reserved
2021-07-14 CVE Published
2024-08-04 CVE Updated
2024-09-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-130: Improper Handling of Length Parameter Inconsistency

CAPEC

References (11)

URL	Tag	Source
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20210819-0007	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://ant.apache.org/security.html	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujul2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Ant Search vendor "Apache" for product "Ant"				>= 1.9.0 < 1.9.16 Search vendor "Apache" for product "Ant" and version " >= 1.9.0 < 1.9.16"		-		Affected
Apache Search vendor "Apache"		Ant Search vendor "Apache" for product "Ant"				>= 1.10.0 < 1.10.11 Search vendor "Apache" for product "Ant" and version " >= 1.10.0 < 1.10.11"		-		Affected
Oracle Search vendor "Oracle"		Agile Engineering Data Management Search vendor "Oracle" for product "Agile Engineering Data Management"				6.2.1.0 Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Search vendor "Oracle" for product "Banking Trade Finance"				14.5 Search vendor "Oracle" for product "Banking Trade Finance" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management"				14.5 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function"				1.11.0 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.11.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				>= 8.0.0 <= 8.1.0 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.0.0 <= 8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Diameter Intelligence Hub Search vendor "Oracle" for product "Communications Diameter Intelligence Hub"				>= 8.2.0 <= 8.2.3 Search vendor "Oracle" for product "Communications Diameter Intelligence Hub" and version " >= 8.2.0 <= 8.2.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Order And Service Management Search vendor "Oracle" for product "Communications Order And Service Management"				7.3 Search vendor "Oracle" for product "Communications Order And Service Management" and version "7.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Order And Service Management Search vendor "Oracle" for product "Communications Order And Service Management"				7.4 Search vendor "Oracle" for product "Communications Order And Service Management" and version "7.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.3.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.2 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.5.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.5.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Repository Search vendor "Oracle" for product "Enterprise Repository"				11.1.1.7.0 Search vendor "Oracle" for product "Enterprise Repository" and version "11.1.1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.6 <= 8.1.1 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6 <= 8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Information Manager Search vendor "Oracle" for product "Health Sciences Information Manager"				>= 3.0.1 <= 3.0.5 Search vendor "Oracle" for product "Health Sciences Information Manager" and version " >= 3.0.1 <= 3.0.5"		-		Affected
Oracle Search vendor "Oracle"		Health Sciences Information Manager Search vendor "Oracle" for product "Health Sciences Information Manager"				3.0.0.1 Search vendor "Oracle" for product "Health Sciences Information Manager" and version "3.0.0.1"		-		Affected
Oracle Search vendor "Oracle"		Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration"				>= 11.0 <= 11.3.1 Search vendor "Oracle" for product "Insurance Policy Administration" and version " >= 11.0 <= 11.3.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.12.0 <= 17.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 18.8.0 <= 18.8.12 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 18.8.0 <= 18.8.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 19.12.0 <= 19.12.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 19.12.0 <= 19.12.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 20.12.0 <= 20.12.7 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 20.12.0 <= 20.12.7"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Product Lifecycle Analytics Search vendor "Oracle" for product "Product Lifecycle Analytics"				3.6.1 Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1"		-		Affected
Oracle Search vendor "Oracle"		Real-time Decision Server Search vendor "Oracle" for product "Real-time Decision Server"				3.2.0.0 Search vendor "Oracle" for product "Real-time Decision Server" and version "3.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Real-time Decision Server Search vendor "Oracle" for product "Real-time Decision Server"				11.1.1.9.0 Search vendor "Oracle" for product "Real-time Decision Server" and version "11.1.1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Advanced Inventory Planning Search vendor "Oracle" for product "Retail Advanced Inventory Planning"				14.1 Search vendor "Oracle" for product "Retail Advanced Inventory Planning" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Advanced Inventory Planning Search vendor "Oracle" for product "Retail Advanced Inventory Planning"				15.0 Search vendor "Oracle" for product "Retail Advanced Inventory Planning" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Advanced Inventory Planning Search vendor "Oracle" for product "Retail Advanced Inventory Planning"				16.0 Search vendor "Oracle" for product "Retail Advanced Inventory Planning" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Back Office Search vendor "Oracle" for product "Retail Back Office"				14.0 Search vendor "Oracle" for product "Retail Back Office" and version "14.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Back Office Search vendor "Oracle" for product "Retail Back Office"				14.1 Search vendor "Oracle" for product "Retail Back Office" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Bulk Data Integration Search vendor "Oracle" for product "Retail Bulk Data Integration"				16.0.3.0 Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Bulk Data Integration Search vendor "Oracle" for product "Retail Bulk Data Integration"				19.0.1 Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Central Office Search vendor "Oracle" for product "Retail Central Office"				14.0 Search vendor "Oracle" for product "Retail Central Office" and version "14.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Central Office Search vendor "Oracle" for product "Retail Central Office"				14.1 Search vendor "Oracle" for product "Retail Central Office" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Eftlink Search vendor "Oracle" for product "Retail Eftlink"				19.0.1 Search vendor "Oracle" for product "Retail Eftlink" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Eftlink Search vendor "Oracle" for product "Retail Eftlink"				20.0.1 Search vendor "Oracle" for product "Retail Eftlink" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Extract Transform And Load Search vendor "Oracle" for product "Retail Extract Transform And Load"				13.2.8 Search vendor "Oracle" for product "Retail Extract Transform And Load" and version "13.2.8"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				14.1.3.2 Search vendor "Oracle" for product "Retail Financial Integration" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				15.0.4.0 Search vendor "Oracle" for product "Retail Financial Integration" and version "15.0.4.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				16.0.3.0 Search vendor "Oracle" for product "Retail Financial Integration" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				14.1.3.2 Search vendor "Oracle" for product "Retail Integration Bus" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				15.0.4.0 Search vendor "Oracle" for product "Retail Integration Bus" and version "15.0.4.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				16.0.3.0 Search vendor "Oracle" for product "Retail Integration Bus" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				19.0.1.0 Search vendor "Oracle" for product "Retail Integration Bus" and version "19.0.1.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Invoice Matching Search vendor "Oracle" for product "Retail Invoice Matching"				16.0.3 Search vendor "Oracle" for product "Retail Invoice Matching" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				19.0.1 Search vendor "Oracle" for product "Retail Merchandising System" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Point-of-service Search vendor "Oracle" for product "Retail Point-of-service"				14.0 Search vendor "Oracle" for product "Retail Point-of-service" and version "14.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Point-of-service Search vendor "Oracle" for product "Retail Point-of-service"				14.1 Search vendor "Oracle" for product "Retail Point-of-service" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server"				14.1.3 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "14.1.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server"				15.0.3 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "15.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server"				16.0.3.0 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				14.1.3.2 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				15.0.4.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.4.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				16.0.3.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				19.0.1.0 Search vendor "Oracle" for product "Retail Service Backbone" and version "19.0.1.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				14.1 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				15.0 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "15.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				16.0 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Timesten In-memory Database Search vendor "Oracle" for product "Timesten In-memory Database"				< 11.2.2.8.27 Search vendor "Oracle" for product "Timesten In-memory Database" and version " < 11.2.2.8.27"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				>= 4.3.0.1.0 <= 4.3.0.6.0 Search vendor "Oracle" for product "Utilities Framework" and version " >= 4.3.0.1.0 <= 4.3.0.6.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.2.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.2.0.2.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.2.0.3.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.2.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.3.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.1.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.1.1"		-		Affected