Vulnerability Name:

CVE-2012-2098 (CCN-75857)

Assigned:2012-05-23
Published:2012-05-23
Updated:2021-08-12
Summary:Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-310
Vulnerability Consequences:Denial of Service
References:Source: CCN
Type: Apache Web site
Reporting New Security Problems with Apache Ant

Source: CONFIRM
Type: Vendor Advisory
http://ant.apache.org/security.html

Source: BUGTRAQ
Type: Third Party Advisory
20120523 [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

Source: CONFIRM
Type: Vendor Advisory
http://commons.apache.org/compress/security.html

Source: MITRE
Type: CNA
CVE-2012-2098

Source: FEDORA
Type: Third Party Advisory
FEDORA-2012-8428

Source: FEDORA
Type: Third Party Advisory
FEDORA-2012-8465

Source: FEDORA
Type: Third Party Advisory
FEDORA-2013-5546

Source: FEDORA
Type: Third Party Advisory
FEDORA-2013-5548

Source: OSVDB
Type: Broken Link
82161

Source: MISC
Type: Third Party Advisory
http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html

Source: CCN
Type: SA49255
Apache Commons Compress bzip2 Denial of Service Vulnerability

Source: SECUNIA
Type: Vendor Advisory
49255

Source: CCN
Type: SA49286
Apache Ant Bzip2 Compression Denial of Service Vulnerability

Source: SECUNIA
Type: Third Party Advisory
49286

Source: CCN
Type: SA53045
Plexus-Archiver bzip2 Denial of Service Vulnerability

Source: CCN
Type: SA53194
Oracle Solaris Apache Ant Bzip2 Compression Denial of Service Vulnerability

Source: CCN
Type: SA53744
IBM Websphere Application Server Ant Denial of Service Vulnerability

Source: CCN
Type: SA53745
IBM Tivoli Integrated Portal Ant Denial of Service Vulnerability

Source: CCN
Type: IBM Security Bulletin 1644047
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.7

Source: CONFIRM
Type: Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21644047

Source: CCN
Type: IBM Security Bulletin 1647522
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 6.1.0.47

Source: CCN
Type: IBM Security Bulletin 1661323
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.31

Source: CCN
Type: IBM Security Bulletin 1639723
TIP/eWAS fix for Apache Ant DoS Vulnerability CVE-2012-2098

Source: CCN
Type: OSVDB ID: 82161
Apache Commons Compress bzip2 File Compression BZip2CompressorOutputStream Class File Handling Remote DoS

Source: BID
Type: Third Party Advisory, VDB Entry
53676

Source: CCN
Type: BID-53676
Apache Commons Compress and Apache Ant CVE-2012-2098 Denial Of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1027096

Source: CCN
Type: Oracle Security Blog, Apr 30, 2013
Algorithmic complexity vulnerability in Apache Ant

Source: XF
Type: Third Party Advisory, VDB Entry
apache-commons-ant-bzip2-dos(75857)

Source: XF
Type: UNKNOWN
apache-commons-ant-bzip2-dos(75857)

Source: CCN
Type: Plexus Archiver GIT Repository
Use apache-commons-compress for bzip2 compression/decompression

Source: MLIST
Type: Third Party Advisory
[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1

Source: CCN
Type: IBM Security Bulletin 3106029 (StoredIQ)
Multiple Vulnerabilities identified in IBM StoredIQ

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6829339 (InfoSphere Information Server)
Multiple vulnerabilities in Apache Ant affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6967553 (Cloud Pak for Data System)
Vulnerability in ant-1.8.1.jar affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)

Source: CCN
Type: IBM Security Bulletin 6969771 (Log Analysis)
Multiple vulnerabilities affect Apache Ant shipped with IBM Operations Analytics - Log Analysis

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:commons-compress:*:*:*:*:*:*:*:* (Version < 1.4.1)

    • Configuration CCN 1:
  • cpe:/a:apache:commons_compress:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:commons_compress:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:ant:1.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:ant:1.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:ant:1.8.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:sun:sunos:5.10:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/o:oracle:solaris:11:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_integrated_portal:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_integrated_portal:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storediq:7.6.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20122098
    V
    		CVE-2012-2098
    2022-05-20
    oval:org.opensuse.security:def:42269
    P
    		Security update for the Linux Kernel (Important)
    2022-04-26
    oval:org.opensuse.security:def:26188
    P
    		Security update for gegl (Important)
    2021-12-28
    oval:org.opensuse.security:def:31330
    P
    		Security update for xorg-x11-server (Important)
    2021-12-14
    oval:org.opensuse.security:def:33044
    P
    		Security update for postgresql, postgresql13, postgresql14 (Important)
    2021-11-20
    oval:org.opensuse.security:def:32213
    P
    		Security update for binutils (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:31696
    P
    		Security update for postgresql10 (Important)
    2021-10-20
    oval:org.opensuse.security:def:26144
    P
    		Security update for libqt5-qtsvg (Moderate)
    2021-10-11
    oval:org.opensuse.security:def:26130
    P
    		Security update for ghostscript (Critical)
    2021-09-21
    oval:org.opensuse.security:def:33005
    P
    		Security update for gtk-vnc (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:32157
    P
    		Security update for qemu (Important)
    2021-07-29
    oval:org.opensuse.security:def:32149
    P
    		Security update for linuxptp (Important)
    2021-07-21
    oval:org.opensuse.security:def:31639
    P
    		Security update for freeradius-server (Moderate)
    2021-06-11
    oval:org.opensuse.security:def:36369
    P
    		ant-1.7.1-20.11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:42488
    P
    		ant-1.7.1-20.11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:36081
    P
    		ant-1.7.1-20.11.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:31633
    P
    		Security update for libX11 (Important)
    2021-06-08
    oval:org.opensuse.security:def:32105
    P
    		Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)
    2021-06-04
    oval:org.opensuse.security:def:26056
    P
    		Security update for curl (Moderate)
    2021-05-26
    oval:org.opensuse.security:def:26042
    P
    		Security update for cups (Important)
    2021-04-30
    oval:org.opensuse.security:def:32083
    P
    		Security update for libnettle (Important)
    2021-04-28
    oval:org.opensuse.security:def:26207
    P
    		Security update for openssl-1_1 (Moderate)
    2021-03-09
    oval:org.opensuse.security:def:26203
    P
    		Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:32262
    P
    		Security update for java-1_8_0-openjdk (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:31341
    P
    		Security update for jasper (Important)
    2021-02-16
    oval:org.opensuse.security:def:31329
    P
    		Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)
    2021-02-10
    oval:org.opensuse.security:def:26122
    P
    		Security update for python-urllib3 (Moderate)
    2021-02-03
    oval:org.opensuse.security:def:26091
    P
    		Security update for MozillaFirefox (Important)
    2021-01-29
    oval:org.opensuse.security:def:25972
    P
    		Security update for postgresql12 (Important)
    2020-12-04
    oval:org.opensuse.security:def:31559
    P
    		Security update for gdm (Important)
    2020-12-03
    oval:org.opensuse.security:def:35862
    P
    		ant-1.7.1-20.9.53 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:32001
    P
    		Security update for python3 (Important)
    2020-12-02
    oval:org.opensuse.security:def:25706
    P
    		Security update for mariadb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31548
    P
    		Security update for sblim-sfcb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26495
    P
    		Security update for phpMyAdmin (Important)
    2020-12-01
    oval:org.opensuse.security:def:26861
    P
    		ant on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25918
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25838
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:26362
    P
    		Security update for nginx (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25616
    P
    		Security update for less (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26548
    P
    		freetype2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25631
    P
    		Security update for tar (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27332
    P
    		xorg-x11-libXp-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26260
    P
    		Security update for Mesa (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25697
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25994
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26309
    P
    		Security update for haproxy (Important)
    2020-12-01
    oval:org.opensuse.security:def:25424
    P
    		Security update for ucode-intel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31939
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:27079
    P
    		ant on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32367
    P
    		Security update for syslog-ng (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31857
    P
    		Security update for cups (Important)
    2020-12-01
    oval:org.opensuse.security:def:26650
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25834
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:31995
    P
    		Security update for java-1_7_1-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:25919
    P
    		Security update for libplist (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25989
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:32787
    P
    		squidGuard on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25412
    P
    		Security update for gcc10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26406
    P
    		Security update for mbedtls (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25915
    P
    		Security update for libosip2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32301
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31415
    P
    		Security update for php53 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26597
    P
    		libpoppler-glib4 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25642
    P
    		Security update for blktrace (Low)
    2020-12-01
    oval:org.opensuse.security:def:27367
    P
    		ant on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31547
    P
    		Security update for sblim-sfcb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26344
    P
    		Security update for mbedtls (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26826
    P
    		syslog-ng on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25754
    P
    		Security update for flash-player (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26348
    P
    		Security update for SDL2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25488
    P
    		Security update for file-roller (Low)
    2020-12-01
    oval:org.opensuse.security:def:25630
    P
    		Security update for openssl-1_0_0 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31914
    P
    		Security update for gd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26694
    P
    		expat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32044
    P
    		Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25930
    P
    		Security update for ImageMagick (Important)
    2020-12-01
    oval:org.opensuse.security:def:32826
    P
    		ant on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25413
    P
    		Security update for ucode-intel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31783
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:27044
    P
    		tftp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32323
    P
    		Security update for samba (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31765
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:26636
    P
    		rsync on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.precise:def:20122098000
    V
    		CVE-2012-2098 on Ubuntu 12.04 LTS (precise) - low.
    2012-06-29
    oval:com.ubuntu.xenial:def:201220980000000
    V
    		CVE-2012-2098 on Ubuntu 16.04 LTS (xenial) - low.
    2012-06-29
    oval:com.ubuntu.trusty:def:20122098000
    V
    		CVE-2012-2098 on Ubuntu 14.04 LTS (trusty) - low.
    2012-06-29
    oval:com.ubuntu.xenial:def:20122098000
    V
    		CVE-2012-2098 on Ubuntu 16.04 LTS (xenial) - low.
    2012-06-29
    BACK
    apache commons-compress *
    apache commons compress 1.4
    apache commons compress 1.0
    apache ant 1.5
    apache ant 1.6.2
    apache ant 1.8.3
    sun sunos 5.10
    ibm websphere application server 6.1
    ibm websphere application server 7.0
    ibm websphere application server 8.0
    ibm websphere application server 8.5
    oracle solaris 11
    ibm tivoli integrated portal 2.1
    ibm tivoli integrated portal 2.2
    ibm infosphere information server 11.7
    ibm storediq 7.6.0