CVE-2023-42503
Improper Input Validation vulnerability in commons-compress (Maven)
What is CVE-2023-42503 About?
This vulnerability in Apache Commons Compress allows for a denial of service due to improper input validation in TAR parsing. Attackers can craft malformed TAR files that cause excessive CPU consumption during parsing, leading to unresponsiveness. Exploitation involves supplying a specially crafted TAR file, making it a moderately complex directed attack.
Affected Software
Technical Details
The vulnerability resides in Apache Commons Compress versions 1.22 through 1.23, specifically within TAR parsing when handling file modification times. In version 1.22, support for high-precision file modification times (e.g., '1647221103.5998539') was introduced. The format for these values, carried in PAX extended headers for fields like 'atime', 'ctime', 'mtime', and 'LIBARCHIVE.creationtime', consists of seconds and subsecond precision separated by a period. Crucially, no input validation is performed on these header values before parsing. The parsing utilizes the JDK's BigDecimal class, which is known to have algorithmic complexity issues when processing extremely large numbers or numbers with extensive fractional parts. An attacker can manipulate TAR file headers to include a number with a very long fraction (e.g., 300,000 digits) or in scientific notation (e.g., '9e9999999'). When Apache Commons Compress attempts to parse such malformed headers, the BigDecimal operations consume disproportionate CPU resources for hours, causing a denial of service. This affects applications using CompressorStreamFactory, TarArchiveInputStream, and TarFile classes to parse TAR files.
What is the Impact of CVE-2023-42503?
Successful exploitation may allow attackers to cause a denial of service by exhausting CPU resources, rendering the affected application unresponsive and unavailable to legitimate users.
What is the Exploitability of CVE-2023-42503?
Exploitation involves crafting a malicious TAR file, which requires some technical understanding of the TAR format and the specific vulnerability in BigDecimal processing. There are no inherent authentication or privilege requirements to deliver the malicious TAR file, as it simply needs to be processed by a vulnerable application. This is typically a remote attack if the TAR file can be uploaded or sent to the target processing system. The complexity lies in precisely manipulating the file modification time headers to trigger the CPU exhaustion. The primary risk factor is any application that accepts and parses untrusted TAR files using the vulnerable library versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-42503?
Available Upgrade Options
- org.apache.commons:commons-compress
- >1.22, <1.24.0 → Upgrade to 1.24.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20231020-0003/
- https://nvd.nist.gov/vuln/detail/CVE-2023-42503
- https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889
- https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
- https://security.netapp.com/advisory/ntap-20231020-0003
- https://github.com/apache/commons-compress
- https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
- https://osv.dev/vulnerability/GHSA-cgwf-w82q-5jrr
What are Similar Vulnerabilities to CVE-2023-42503?
Similar Vulnerabilities: CVE-2012-2098 , CVE-2016-XXXXX , CVE-2017-XXXXX , CVE-2019-XXXXX , CVE-2021-XXXXX
