CVE-2021-35517
HIGHCVSS 7.5/10EPSS 10.90%
Last modified
CVE-2021-35517 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.. EPSS estimates a 10.90% chance of exploitation in the next 30 days.
Description
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.1, <= 1.20 |
| Netapp | Active Iq Unified Manager | All versions |
| Netapp | Oncommand Insight | All versions |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Apis | 19.1 |
| Oracle | Banking Apis | 19.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Apis | 21.1 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Payments | 14.5 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Business Process Management Suite | 12.2.1.4.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.8.1.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
| Oracle | Flexcube Universal Banking | 12.4 |
| Oracle | Flexcube Universal Banking | 14.5 |
| Oracle | Healthcare Data Repository | 8.1.0 |
| Oracle | Insurance Policy Administration | 11.0.2 |
| Oracle | Insurance Policy Administration | 11.1.0 |
| Oracle | Insurance Policy Administration | 11.2.8 |
| Oracle | Insurance Policy Administration | 11.3.0 |
| Oracle | Insurance Policy Administration | 11.3.1 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Utilities Testing Accelerator | 6.0.0.1.1 |
| Oracle | Utilities Testing Accelerator | 6.0.0.2.2 |
| Oracle | Utilities Testing Accelerator | 6.0.0.3.1 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
Showing 50 of 52 affected configurations. See NVD for the full list.
References
- http://www.openwall.com/lists/oss-security/2021/07/13/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/5Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/5Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-35517?
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
How severe is CVE-2021-35517?
CVE-2021-35517 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 10.90% probability of exploitation in the next 30 days.
How do I fix CVE-2021-35517?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-35517?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST