CVE-2021-36090
HIGHCVSS 7.5/10EPSS 13.29%
Last modified
CVE-2021-36090 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.. EPSS estimates a 13.29% chance of exploitation in the next 30 days.
Description
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.0, < 1.21 |
| Oracle | Banking Apis | >= 18.1, <= 18.3 |
| Oracle | Banking Apis | 19.1 |
| Oracle | Banking Apis | 19.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Apis | 21.1 |
| Oracle | Banking Digital Experience | >= 18.1, <= 18.3 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Payments | 14.5 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Business Process Management Suite | 12.2.1.4.0 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Billing And Revenue Management | 12.0.0.4 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.8.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Intelligence Hub | >= 8.0.0, <= 8.2.3 |
| Oracle | Communications Diameter Intelligence Hub | 8.2.3 |
| Oracle | Communications Element Manager | >= 8.2.0, <= 8.2.4.0 |
| Oracle | Communications Session Report Manager | >= 8.2.0, <= 8.2.5.0 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.5.0 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Communications Unified Inventory Management | 7.4.1 |
| Oracle | Communications Unified Inventory Management | 7.4.2 |
| Oracle | Communications Unified Inventory Management | 7.5.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.1 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Financial Services Enterprise Case Management | All versions |
| Oracle | Financial Services Enterprise Case Management | 8.0.7.2.0 |
| Oracle | Financial Services Enterprise Case Management | 8.0.8.1.0 |
| Oracle | Flexcube Universal Banking | >= 14.0.0, <= 14.3.0 |
| Oracle | Flexcube Universal Banking | 12.4 |
| Oracle | Flexcube Universal Banking | 14.5 |
| Oracle | Healthcare Data Repository | 8.1.0 |
| Oracle | Insurance Policy Administration | 11.0.2 |
| Oracle | Insurance Policy Administration | 11.1.0 |
| Oracle | Insurance Policy Administration | 11.2.8 |
| Oracle | Insurance Policy Administration | 11.3.0 |
Showing 50 of 70 affected configurations. See NVD for the full list.
References
- http://www.openwall.com/lists/oss-security/2021/07/13/4Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/6Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/4Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2021/07/13/6Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0001/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-36090?
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
How severe is CVE-2021-36090?
CVE-2021-36090 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 13.29% probability of exploitation in the next 30 days.
How do I fix CVE-2021-36090?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-36090?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST