Vulnerability Details : CVE-2021-36090
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Vulnerability category: Denial of service
Products affected by CVE-2021-36090
- cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
- Oracle » Flexcube Universal BankingVersions from including (>=) 14.0.0 and up to, including, (<=) 14.3.0cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_universal_banking:12.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_payments:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.6 and up to, including, (<=) 8.1.1cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:*:*:*:*:*:*:*
- Oracle » Communications Element ManagerVersions from including (>=) 8.2.0 and up to, including, (<=) 8.2.4.0cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
- Oracle » Communications Session Report ManagerVersions from including (>=) 8.2.0 and up to, including, (<=) 8.2.5.0cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
- Oracle » Communications Session Route ManagerVersions from including (>=) 8.0.0 and up to, including, (<=) 8.2.5.0cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
- Oracle » Banking Digital ExperienceVersions from including (>=) 18.1 and up to, including, (<=) 18.3cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*
- Oracle » Communications Diameter Intelligence HubVersions from including (>=) 8.0.0 and up to, including, (<=) 8.2.3cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-36090
1.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-36090
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-36090
-
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.Assigned by: security@apache.org (Secondary)
References for CVE-2021-36090
-
https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E
[jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability - Pony MailVendor Advisory
-
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
[GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
[GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/07/13/6
oss-security - CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerabilityMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://commons.apache.org/proper/commons-compress/security-reports.html
Commons Compress – Commons Compress Security ReportsVendor Advisory
-
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
[GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
[skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400) - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
[GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
Re: [VOTE] Apache POI 5.1.0 release (RC1) - Pony MailBroken Link;Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E
CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability - Pony MailMailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/07/13/4
oss-security - CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerabilityMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E
[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E
[drill] branch master updated: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E
[GitHub] [drill] luocooong opened a new pull request #2285: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E
CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Third Party Advisory
-
https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E
[GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E
[druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496) - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E
[GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E
CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E
[GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20211022-0001/
July 2021 Apache Commons Compress Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E
[GitHub] [james-project] chibenwa opened a new pull request #537: [UPGRADE] Security upgrade: common-compress to 1.21 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E
[jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
[skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - Pony MailMailing List;Patch;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to