CVE-2021-36373
MEDIUMCVSS 5.5/10EPSS 2.51%
Last modified
CVE-2021-36373 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. EPSS estimates a 2.51% chance of exploitation in the next 30 days.
Description
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ant | >= 1.9.0, < 1.9.16 |
| Apache | Ant | >= 1.10.0, < 1.10.11 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Banking Trade Finance | 14.5 |
| Oracle | Banking Treasury Management | 14.5 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.11.0 |
| Oracle | Communications Order And Service Management | 7.3 |
| Oracle | Communications Order And Service Management | 7.4 |
| Oracle | Communications Unified Inventory Management | 7.3.0 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Communications Unified Inventory Management | 7.4.1 |
| Oracle | Communications Unified Inventory Management | 7.4.2 |
| Oracle | Communications Unified Inventory Management | 7.5.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.1 |
| Oracle | Insurance Policy Administration | >= 11.0, <= 11.3.1 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.11 |
| Oracle | Primavera Gateway | >= 18.8.0, <= 18.8.12 |
| Oracle | Primavera Gateway | >= 19.12.0, <= 19.12.11 |
| Oracle | Primavera Gateway | >= 20.12.0, <= 20.12.7 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Real-Time Decision Server | 3.2.0.0 |
| Oracle | Real-Time Decision Server | 11.1.1.9.0 |
| Oracle | Retail Advanced Inventory Planning | 14.1 |
| Oracle | Retail Advanced Inventory Planning | 15.0 |
| Oracle | Retail Advanced Inventory Planning | 16.0 |
| Oracle | Retail Back Office | 14.0 |
| Oracle | Retail Back Office | 14.1 |
| Oracle | Retail Bulk Data Integration | 16.0.3.0 |
| Oracle | Retail Bulk Data Integration | 19.0.1 |
| Oracle | Retail Central Office | 14.0 |
| Oracle | Retail Central Office | 14.1 |
| Oracle | Retail Eftlink | 19.0.1 |
| Oracle | Retail Eftlink | 20.0.1 |
| Oracle | Retail Extract Transform And Load | 13.2.8 |
| Oracle | Retail Financial Integration | 14.1.3.2 |
| Oracle | Retail Financial Integration | 15.0.4.0 |
| Oracle | Retail Financial Integration | 16.0.3.0 |
| Oracle | Retail Integration Bus | 14.1.3.2 |
| Oracle | Retail Integration Bus | 15.0.4.0 |
| Oracle | Retail Integration Bus | 16.0.3.0 |
| Oracle | Retail Integration Bus | 19.0.1.0 |
| Oracle | Retail Invoice Matching | 16.0.3 |
| Oracle | Retail Merchandising System | 19.0.1 |
| Oracle | Retail Point-Of-Service | 14.0 |
| Oracle | Retail Point-Of-Service | 14.1 |
Showing 50 of 73 affected configurations. See NVD for the full list.
References
- https://ant.apache.org/security.htmlPatch, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210819-0007/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://ant.apache.org/security.htmlPatch, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210819-0007/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-36373?
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
How severe is CVE-2021-36373?
CVE-2021-36373 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 2.51% probability of exploitation in the next 30 days.
How do I fix CVE-2021-36373?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-36373?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST