Vulnerability Name:

CVE-2021-35516 (CCN-205306)

Assigned:2021-07-13
Published:2021-07-13
Updated:2023-02-28
Summary:Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' sevenz package.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-35516

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: CCN
Type: Apache Web site
Apache Commons Compress

Source: security@apache.org
Type: Vendor Advisory
security@apache.org

Source: XF
Type: UNKNOWN
apache-cve202135516-dos(205306)

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Patch, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Patch, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Patch, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Patch, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Exploit, Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Patch, Vendor Advisory
security@apache.org

Source: CCN
Type: oss-sec Mailing List, Tue, 13 Jul 2021 04:01:04 +0000
CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

Source: security@apache.org
Type: Third Party Advisory
security@apache.org

Source: CCN
Type: IBM Security Bulletin 6480413 (Planning Analytics Local)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6482503 (Content Navigator)
IBM Content Navigator is vulnerable to a denial of service vulnerabilty.

Source: CCN
Type: IBM Security Bulletin 6484923 (Spectrum Protect Plus)
Vulnerabilities in Apache Commons and Node.js affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6485153 (Spectrum Control)
Vulnerabilities in Node.js, XStream and Apache Commons affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6490749 (Tivoli Netcool/OMNIbus)
Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

Source: CCN
Type: IBM Security Bulletin 6492217 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Compress

Source: CCN
Type: IBM Security Bulletin 6498123 (FileNet Content Manager)
Apache commons-compress security vulnerabilities in IBM Content Manager

Source: CCN
Type: IBM Security Bulletin 6509082 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons Compress

Source: CCN
Type: IBM Security Bulletin 6516780 (Sterling Control Center)
Apache Commons Compress Denial of Service Vulnerability Affects IBM Sterling Control Center (CVE-2021-35516)

Source: CCN
Type: IBM Security Bulletin 6525250 (Spectrum Copy Data Management)
Vulnerabilities in PostgreSQL, Apache, Golang Go, and Linux Kernel affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6527968 (Business Automation Workflow)
Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow -CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6592779 (QRadar SIEM)
Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517)

Source: CCN
Type: IBM Security Bulletin 6601115 (Tivoli Network Manager)
Apache Commons as used by IBM Tivoli Network Manager is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

Source: CCN
Type: IBM Security Bulletin 6614553 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Source: security@apache.org
Type: Patch, Third Party Advisory
security@apache.org

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:apache:commons_compress:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:commons_compress:1.20:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_content_manager:5.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_content_manager:5.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:filenet_content_manager:5.5.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.13:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7987
    P
    apache-commons-compress-1.21-150200.3.13.4 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:6118
    P
    Security update for ImageMagick (Moderate) (in QA)
    2022-08-30
    oval:org.opensuse.security:def:95340
    P
    Security update for permissions (Important)
    2022-08-03
    oval:org.opensuse.security:def:3364
    P
    shadow-4.2.1-34.20 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94908
    P
    gnome-settings-daemon-41.0-150400.1.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94994
    P
    apache-commons-compress-1.21-3.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:4568
    P
    Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP5) (Important)
    2022-04-13
    oval:org.opensuse.security:def:101621
    P
    Security update for ldb (Low) (in QA)
    2022-04-13
    oval:org.opensuse.security:def:111939
    P
    apache-commons-compress-1.21-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:4499
    P
    Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP5) (Important)
    2021-10-12
    oval:org.opensuse.security:def:105505
    P
    apache-commons-compress-1.21-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:110999
    P
    Security update for apache-commons-compress (Important)
    2021-08-10
    oval:org.opensuse.security:def:102053
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:65588
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:117801
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:74725
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:108287
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:101795
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:65657
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:5792
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:75949
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:108719
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:66881
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:111649
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:76275
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:67207
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    oval:org.opensuse.security:def:74656
    P
    Security update for apache-commons-compress (Important)
    2021-08-05
    BACK
    apache commons compress 1.6
    apache commons compress 1.20
    ibm tivoli netcool/omnibus 8.1.0
    ibm infosphere information server 11.7
    ibm qradar security information and event manager 7.3
    ibm spectrum control 5.3.1
    ibm spectrum control 5.3.2
    ibm spectrum control 5.3.3
    ibm spectrum control 5.3.0.1
    ibm watson discovery 2.0.0
    ibm qradar security information and event manager 7.4 -
    ibm filenet content manager 5.5.4
    ibm spectrum protect plus 10.1.6
    ibm spectrum control 5.3.4
    ibm spectrum control 5.3.5
    ibm spectrum control 5.3.6
    ibm spectrum control 5.3.7
    ibm sterling b2b integrator 6.1.0.0
    ibm spectrum protect plus 10.1.7
    ibm spectrum control 5.4.1
    ibm watson discovery 2.2.1
    ibm spectrum protect plus 10.1.8
    ibm filenet content manager 5.5.6
    ibm filenet content manager 5.5.7
    ibm spectrum copy data management 2.2.13