CVE-2021-35516
HIGHCVSS 7.5/10EPSS 12.70%
Last modified
CVE-2021-35516 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.. EPSS estimates a 12.70% chance of exploitation in the next 30 days.
Description
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.6, <= 1.20 |
| Netapp | Active Iq Unified Manager | All versions |
| Netapp | Oncommand Insight | All versions |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Business Process Management Suite | 12.2.1.4.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.8.1.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
| Oracle | Flexcube Universal Banking | 12.4.0 |
| Oracle | Flexcube Universal Banking | 14.5 |
| Oracle | Healthcare Data Repository | 8.1.0 |
| Oracle | Insurance Policy Administration | 11.0.2 |
| Oracle | Insurance Policy Administration | 11.1.0 |
| Oracle | Insurance Policy Administration | 11.2.8 |
| Oracle | Insurance Policy Administration | 11.3.0 |
| Oracle | Insurance Policy Administration | 11.3.1 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Utilities Testing Accelerator | 6.0.0.1.1 |
| Oracle | Utilities Testing Accelerator | 6.0.0.2.2 |
| Oracle | Utilities Testing Accelerator | 6.0.0.3.1 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
| Oracle | Communications Messaging Server | 8.1 |
References
- http://www.openwall.com/lists/oss-security/2021/07/13/2Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/2Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-35516?
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
How severe is CVE-2021-35516?
CVE-2021-35516 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 12.70% probability of exploitation in the next 30 days.
How do I fix CVE-2021-35516?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-35516?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST