When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Fixes

Solution

No solution given by the vendor.


Workaround

Commons Compress users should upgrade to 1.21 or later. With Compress 1.19 we introduced a feature that tries to recover broken 7z archives, which makes it far easier to exploit this weakness. As a result we have disabled the recovery code by default and users need to enable it explicitly. In addition users are able to control the amount of memory SevenZFile may use and we strongly recommend using this feature when trying to recover broken archives.

References
Link Providers
http://www.openwall.com/lists/oss-security/2021/07/13/2 cve-icon cve-icon cve-icon
https://commons.apache.org/proper/commons-compress/security-reports.html cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-35516 cve-icon
https://security.netapp.com/advisory/ntap-20211022-0001/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-35516 cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2021.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T00:40:46.628Z

Reserved: 2021-06-27T00:00:00

Link: CVE-2021-35516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-07-13T08:15:07.137

Modified: 2024-11-21T06:12:25.430

Link: CVE-2021-35516

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-07-13T00:00:00Z

Links: CVE-2021-35516 - Bugzilla

cve-icon OpenCVE Enrichment

No data.