CVE-2021-36090

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
apacheCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
apachecommons_compress
1.0 ≤
𝑥
< 1.21
oraclebanking_apis
18.1 ≤
𝑥
≤ 18.3
oraclebanking_apis
19.1
oraclebanking_apis
19.2
oraclebanking_apis
20.1
oraclebanking_apis
21.1
oraclebanking_digital_experience
18.1 ≤
𝑥
≤ 18.3
oraclebanking_digital_experience
19.1
oraclebanking_digital_experience
19.2
oraclebanking_digital_experience
20.1
oraclebanking_digital_experience
21.1
oraclebanking_enterprise_default_management
2.7.0
oraclebanking_party_management
2.7.0
oraclebanking_payments
14.5
oraclebanking_platform
2.6.2
oraclebanking_platform
2.7.1
oraclebanking_platform
2.9.0
oraclebanking_platform
2.12.0
oraclebanking_trade_finance
14.5
oraclebanking_treasury_management
14.5
oraclebusiness_process_management_suite
12.2.1.3.0
oraclebusiness_process_management_suite
12.2.1.4.0
oraclecommerce_guided_search
11.3.2
oraclecommunications_billing_and_revenue_management
12.0.0.4
oraclecommunications_cloud_native_core_automated_test_suite
1.8.0
oraclecommunications_cloud_native_core_service_communication_proxy
1.14.0
oraclecommunications_cloud_native_core_unified_data_repository
1.14.0
oraclecommunications_diameter_intelligence_hub
8.0.0 ≤
𝑥
≤ 8.2.3
oraclecommunications_diameter_intelligence_hub
8.2.3
oraclecommunications_element_manager
8.2.0 ≤
𝑥
≤ 8.2.4.0
oraclecommunications_session_report_manager
8.2.0 ≤
𝑥
≤ 8.2.5.0
oraclecommunications_session_route_manager
8.0.0 ≤
𝑥
≤ 8.2.5.0
oraclecommunications_unified_inventory_management
7.4.0
oraclecommunications_unified_inventory_management
7.4.1
oraclecommunications_unified_inventory_management
7.4.2
oraclecommunications_unified_inventory_management
7.5.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.1.1
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.2.0
oraclefinancial_services_crime_and_compliance_management_studio
8.0.8.3.0
oraclefinancial_services_enterprise_case_management
*
oraclefinancial_services_enterprise_case_management
8.0.7.2.0
oraclefinancial_services_enterprise_case_management
8.0.8.1.0
oracleflexcube_universal_banking
14.0.0 ≤
𝑥
≤ 14.3.0
oracleflexcube_universal_banking
12.4
oracleflexcube_universal_banking
14.5
oraclehealthcare_data_repository
8.1.0
oracleinsurance_policy_administration
11.0.2
oracleinsurance_policy_administration
11.1.0
oracleinsurance_policy_administration
11.2.8
oracleinsurance_policy_administration
11.3.0
oracleinsurance_policy_administration
11.3.1
oraclepeoplesoft_enterprise_peopletools
8.57
oraclepeoplesoft_enterprise_peopletools
8.58
oraclepeoplesoft_enterprise_peopletools
8.59
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.12
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.11
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oracleutilities_testing_accelerator
6.0.0.1.1
oracleutilities_testing_accelerator
6.0.0.2.2
oracleutilities_testing_accelerator
6.0.0.3.1
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
oraclecommunications_messaging_server
8.1
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netapponcommand_insight
-
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
apachecommons-compress
𝑥
≤ 1.20
CNA
Debian logo
Debian Releases
Debian Product
Codename
libcommons-compress-java
bookworm
1.22-1
fixed
bullseye
no-dsa
buster
no-dsa
sid
1.27.1-2
fixed
stretch
no-dsa
trixie
1.27.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcommons-compress-java
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/07/13/4
http://www.openwall.com/lists/oss-security/2021/07/13/6
https://commons.apache.org/proper/commons-compress/security-reports.html
https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3E
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3E
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
https://security.netapp.com/advisory/ntap-20211022-0001/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
http://www.openwall.com/lists/oss-security/2021/07/13/4
http://www.openwall.com/lists/oss-security/2021/07/13/6
https://commons.apache.org/proper/commons-compress/security-reports.html
https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3E
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3E
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
https://security.netapp.com/advisory/ntap-20211022-0001/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html