CVE-2021-36374
Denial of Service (DoS) vulnerability in ant (Maven)
What is CVE-2021-36374 About?
This vulnerability affects Apache Ant prior to versions 1.9.16 and 1.10.11, allowing for a denial of service. A specially crafted ZIP archive (or derived format like JAR) can cause excessive memory allocation during an Ant build, leading to an out-of-memory error and disruption. Exploitation requires the attacker to introduce a malicious archive into the build process.
Affected Software
- org.apache.ant:ant
- >1.10.0, <1.10.11
- >1.9.0, <1.9.16
Technical Details
Apache Ant versions prior to 1.9.16 and 1.10.11 are vulnerable to a denial of service (DoS) when processing specially crafted ZIP archives or formats derived from ZIP, such as JAR files or certain office documents. An attacker can create an archive that, while potentially small in compressed size, is designed to expand to an extraordinarily large size in memory when processed by Ant. This 'zip bomb' or 'resource exhaustion' technique causes the Ant build process to allocate vast amounts of memory, quickly exhausting available system resources. This results in an 'out of memory' error, terminating the build and making the build system unavailable.
What is the Impact of CVE-2021-36374?
Successful exploitation may allow attackers to cause a denial of service, crashing the build process and preventing software development or deployment activities.
What is the Exploitability of CVE-2021-36374?
Exploitation of this vulnerability involves an attacker crafting a malicious ZIP archive (or JAR file, etc.) designed to trigger excessive memory allocation. This crafted file must then be made accessible to an Apache Ant build process for it to be processed. The complexity is low to medium, as the creation of such an archive is a known technique. No authentication or specific privileges are strictly required on the target machine beyond the means to supply the malicious file to the build. This can be a local attack if the attacker has file system access, or remote if the build system downloads and processes untrusted archives. The likelihood of exploitation is heightened for build environments that frequently process or extract archives from external or untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-36374?
Available Upgrade Options
- org.apache.ant:ant
- >1.9.0, <1.9.16 → Upgrade to 1.9.16
- org.apache.ant:ant
- >1.10.0, <1.10.11 → Upgrade to 1.10.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://osv.dev/vulnerability/GHSA-5v34-g2px-j4fw
- https://ant.apache.org/security.html
- https://ant.apache.org/security.html
What are Similar Vulnerabilities to CVE-2021-36374?
Similar Vulnerabilities: CVE-2021-36373 , CVE-2022-42889 , CVE-2022-4752 , CVE-2023-45598 , CVE-2022-38533
