CVE-2021-36090

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions 1.19 through 1.21 Confluence Data Center versions from 7.19.23 to 8.9.3 Confluence Data Center versions from 8.5.10 to 8.5.11 Confluence Server versions from 7.19.23 to 7.19.24 Confluence Server versions from 8.5.10 to 8.5.11

Description The issue is related to errors in handling input data length parameters, which can lead to a denial of service attack. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory, resulting in an out of memory error even for small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Recommendations For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Data Center versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.9.4 or 8.5.12 LTS. For Confluence Data Center versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.9.4 or 8.5.12 LTS or 7.19.25 LTS. For Confluence Server versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.5.12 LTS. For Confluence Server versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.5.12 LTS or 7.19.25 LTS. As a temporary workaround, consider restricting the use of the zip package in Compress to minimize the risk of exploitation.