CVE-2021-36090
Denial of Service vulnerability in commons-compress (Maven)
What is CVE-2021-36090 About?
Compress, specifically its zip package, is vulnerable to a denial of service attack when processing specially crafted ZIP archives. This flaw can cause the application to allocate excessively large amounts of memory, leading to an out-of-memory error even for small inputs. Exploitation involves an attacker supplying a malformed ZIP archive.
Affected Software
Technical Details
The vulnerability occurs within Compress's zip package when it attempts to read a specially crafted ZIP archive. The malformed archive is designed to trigger an 'over-allocation' vulnerability, where the parsing logic miscalculates the required memory for decompression or metadata processing. For example, a ZIP archive might declare an impossibly large uncompressed size for a compressed entry, or contain repetitive, deeply nested structures in its metadata tables. When the Compress library attempts to process such an archive, it may allocate vast amounts of memory based on these misleading declarations without sufficient validation, quickly exhausting available system memory and causing an Out-Of-Memory (OOM) error, resulting in a denial of service for the service. This can happen even with very small input file sizes from the attacker.
What is the Impact of CVE-2021-36090?
Successful exploitation may allow attackers to exhaust system resources, causing an out-of-memory error and leading to a denial of service for the affected application.
What is the Exploitability of CVE-2021-36090?
Exploitation requires an attacker to supply a specially crafted (malformed) ZIP archive to a service that uses the vulnerable Compress library. The complexity is moderate, requiring knowledge of the ZIP file format and how it can be abused. Authentication might not be required if the service allows unauthenticated file uploads, or processes ZIP files from untrusted sources. Privilege requirements are low, as the attack targets the application's memory resources. This is primarily a remote vulnerability if the service accepts ZIP files over the network. Special conditions include the application relying on the vulnerable Compress library without sufficient input validation or resource limits on archive processing. The risk factor increases for applications that automatically process or decompress user-provided ZIP files, such as file upload services or email servers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-36090?
Available Upgrade Options
- org.apache.commons:commons-compress
- <1.21 → Upgrade to 1.21
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/07/13/4
- https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://osv.dev/vulnerability/GHSA-mc84-pj99-q6hh
What are Similar Vulnerabilities to CVE-2021-36090?
Similar Vulnerabilities: CVE-2021-3620 , CVE-2022-37453 , CVE-2022-26922 , CVE-2022-25883 , CVE-2021-4203
