CVE-2018-11771
Denial of Service vulnerability in commons-compress (Maven)
What is CVE-2018-11771 About?
This vulnerability in Apache Commons Compress can lead to a Denial of Service. When processing specially crafted ZIP archives, the `ZipArchiveInputStream` may fail to properly indicate the end of the stream, causing an infinite loop. This makes it relatively easy for an attacker to trigger a DoS condition on services using the affected component.
Affected Software
Technical Details
The vulnerability lies in the ZipArchiveInputStream class of Apache Commons Compress versions 1.7 to 1.17. When reading a malformed ZIP archive, the read method does not correctly return an End-Of-File (EOF) indication once the legitimate end of the stream has been reached. If this ZipArchiveInputStream is then wrapped by a java.io.InputStreamReader, the combination can lead to an infinite read loop. An attacker can craft a ZIP archive that triggers this specific condition, causing the application to continuously attempt to read beyond the actual data, consuming CPU cycles and memory, ultimately leading to a denial of service.
What is the Impact of CVE-2018-11771?
Successful exploitation may allow attackers to cause target services or applications to become unresponsive or crash, leading to a denial of service.
What is the Exploitability of CVE-2018-11771?
Exploitation of this vulnerability requires an attacker to provide a specially crafted ZIP archive to an application that processes such archives using the affected Apache Commons Compress library. The complexity is low as it primarily involves creating a malformed file. No authentication or elevated privileges are required, and the attack can typically be performed remotely by submitting the malicious archive. The primary risk factor is the widespread use of Apache Commons Compress in various applications, particularly those handling untrusted file uploads or external data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-11771?
Available Upgrade Options
- org.apache.commons:commons-compress
- >1.7, <1.18 → Upgrade to 1.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/commons-compress
- https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7%40%3Cdev.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41%40%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E
- https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6%40%3Ccommits.tinkerpop.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1%40%3Ccommits.commons.apache.org%3E
- https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E
What are Similar Vulnerabilities to CVE-2018-11771?
Similar Vulnerabilities: CVE-2021-38185 , CVE-2020-13959 , CVE-2021-27807 , CVE-2019-10086 , CVE-2018-1324
