Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities
July 14, 2021
Rewterz
Rewterz Threat Alert – Lokibot Malware – Active IOCs
July 14, 2021

Rewterz Threat Advisory – Multiple Apache Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-35515

Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw in the construction of the list of codecs that decompress an entry. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.

CVE-2021-35516

Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when allocate large amounts of memory. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.

CVE-2021-35517

Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when allocate large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ tar package.

CVE-2021-36090

Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when allocate large amounts of memory. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ zip package.

CVE-2021-36373

Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when allocate large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause the application to crash.

CVE-2021-36374

Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when allocate large amounts of memory. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to crash.

Impact

  • Denial of Service

Affected Vendors

Apache

Affected Product

Apache Commons Compress 1.6
Apache Commons Compress 1.20
Apache Ant 1.9
Apache Ant 1.10.0

Remediation

Upgrade to the latest version of Apache Commons Compress (1.21 or later), Apache Ant (1.9.16, 1.10.11 or later).

https://commons.apache.org/proper/commons-compress/