CVE-2021-36373
Denial of Service (DoS) vulnerability in ant (Maven)
What is CVE-2021-36373 About?
This vulnerability in Apache Ant prior to versions 1.9.16 and 1.10.11 allows for a denial of service. Attackers can craft a special TAR archive that causes the build process to consume excessive memory. This leads to an out-of-memory error and disruption of builds, even with small inputs.
Affected Software
- org.apache.ant:ant
- >1.10.0, <1.10.11
- <1.9.16
Technical Details
Apache Ant versions prior to 1.9.16 and 1.10.11 are susceptible to a denial of service (DoS) vulnerability when processing specially crafted TAR archives. The vulnerability lies in how Ant handles the parsing and extraction of these archives. An attacker can construct a TAR archive that, despite its small on-disk size, forces Apache Ant to allocate an unusually large amount of memory during processing. This disproportionate memory allocation overwhelms the system's available RAM, leading to an 'out of memory' error. The consequence is the abortion of the Ant build process, effectively causing a denial of service for any project relying on the vulnerable Ant version to process such archives.
What is the Impact of CVE-2021-36373?
Successful exploitation may allow attackers to cause a denial of service, crashing the build process and preventing software development or deployment activities.
What is the Exploitability of CVE-2021-36373?
Exploitation of this vulnerability requires an attacker to craft a special TAR archive. This archive must be introduced into the build environment where Apache Ant will process it. The complexity is low to medium, as it primarily involves knowing how to construct such an archive to trigger excessive memory allocation. No authentication or specific privileges are required on the target system for the archive to disrupt the build, other than the ability to supply the malicious file. The attack can be local if the attacker has access to place the archive, or remote if the build system fetches external archives without proper validation. The likelihood of exploitation increases if build systems routinely process untrusted or externally sourced TAR archives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-36373?
Available Upgrade Options
- org.apache.ant:ant
- <1.9.16 → Upgrade to 1.9.16
- org.apache.ant:ant
- >1.10.0, <1.10.11 → Upgrade to 1.10.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://ant.apache.org/security.html
- https://ant.apache.org/security.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
What are Similar Vulnerabilities to CVE-2021-36373?
Similar Vulnerabilities: CVE-2021-36374 , CVE-2022-42889 , CVE-2022-4752 , CVE-2023-45598 , CVE-2022-38533
