CVE-2021-35517
Denial of service vulnerability in commons-compress (Maven)
What is CVE-2021-35517 About?
This vulnerability in the Compress' tar package is a Denial of Service (DoS) where a specially crafted TAR archive can cause excessive memory allocation. This leads to an out-of-memory error, effectively rendering the service unavailable. Exploitation is straightforward for an attacker able to supply the malicious archive.
Affected Software
Technical Details
The vulnerability occurs when the Compress library processes a specially crafted TAR archive. Even small malicious inputs can trigger a disproportionately large memory allocation within the library. This memory consumption escalates to an out-of-memory error. The mechanism is likely related to metadata parsing or object instantiation within the TAR archive processing, where certain structure or values in the archive cause the internal data structures to grow uncontrollably, exhausting the available system memory and thereby leading to a denial of service.
What is the Impact of CVE-2021-35517?
Successful exploitation may allow attackers to disrupt service availability by causing applications to crash or become unresponsive due to resource exhaustion, leading to a denial of service.
What is the Exploitability of CVE-2021-35517?
Exploitation requires the ability to provide a specially crafted TAR archive to a service that utilizes Compress' tar package. There is no complex setup, authentication, or specific privilege level beyond interacting with the service's input mechanism. This can be a remote exploit if the service accepts TAR archives remotely. The main condition is that the target service processes TAR archives using the vulnerable library. The likelihood of exploitation increases if the service directly exposes TAR archive upload or processing functionalities without proper input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-35517?
Available Upgrade Options
- org.apache.commons:commons-compress
- <1.21 → Upgrade to 1.21
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2021-35517?
Similar Vulnerabilities: CVE-2021-39171 , CVE-2022-21680 , CVE-2022-29007 , CVE-2022-24348 , CVE-2022-31126
