CVE-2021-35516

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions 1.19 through 1.21 Apache Commons Compress version 1.22 Confluence Data Center versions from 7.19.23 to 8.9.3 Confluence Data Center versions from 8.5.10 to 8.5.11 Confluence Server versions from 7.19.23 to 7.19.24 Confluence Server versions from 8.5.10 to 8.5.11

Description The issue is related to errors when processing input data length parameters in the sevenz package of Apache Commons Compress. This could allow a remote attacker to cause a denial of service by allocating large amounts of memory, leading to an out of memory error even with small inputs. The vulnerability can be exploited to mount a denial of service attack against services using Compress' sevenz package.

Recommendations For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Data Center versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.9.4 or 8.5.12 LTS. For Confluence Data Center versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.9.4 or 8.5.12 LTS or 7.19.25 LTS. For Confluence Server versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.5.12 LTS. For Confluence Server versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.5.12 LTS or 7.19.25 LTS. As a temporary workaround, consider restricting the use of the sevenz package in Apache Commons Compress to minimize the risk of exploitation.