CVE-2021-35515
Denial of Service (DoS) vulnerability in commons-compress (Maven)
What is CVE-2021-35515 About?
This vulnerability in Compress' sevenz package causes an infinite loop when reading a specially crafted 7Z archive. This can allow for a Denial of Service (DoS) attack against services using the package. Exploitation is of moderate complexity, requiring a malformed 7Z archive.
Affected Software
Technical Details
The 'Compress' library's 'sevenz' package is vulnerable to a Denial of Service (DoS) due to an infinite loop during the construction of the list of codecs when reading a specially crafted 7Z archive. Specifically, the parsing logic responsible for interpreting the codec information within the 7Z archive headers can be forced into an endless loop if the archive's metadata structures are maliciously manipulated. This manipulation prevents the parser from correctly delineating the codec chain, causing it to iterate indefinitely without progressing, thereby consuming CPU cycles and rendering the application unresponsive. This directly leads to a denial of service by exhausting application resources.
What is the Impact of CVE-2021-35515?
Successful exploitation may allow attackers to cause a denial of service by forcing the application into an infinite loop, consuming excessive CPU resources and preventing legitimate operations.
What is the Exploitability of CVE-2021-35515?
Exploitation of this vulnerability is of moderate complexity. An attacker needs to craft a specific, malformed 7Z archive that triggers the infinite loop during codec list construction. No authentication or special privileges are typically required at the point of processing the archive, as the vulnerability resides in the parsing logic itself. The attack can be local if the archive is processed from a local file, or remote if the application accepts 7Z archives via network uploads, email attachments, or other remote input mechanisms. The primary risk factor is any service that automatically processes untrusted 7Z archive files, making it a target for resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-35515?
Available Upgrade Options
- org.apache.commons:commons-compress
- <1.21 → Upgrade to 1.21
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-35515
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-35515?
Similar Vulnerabilities: CVE-2021-37137 , CVE-2021-37136 , CVE-2018-15688 , CVE-2020-27668 , CVE-2022-44268
