PT-2021-3850 · Apache+4 · Apache Commons Compress+4
Oss Fuzz
·
Published
2021-07-13
·
Updated
2024-08-06
·
CVE-2021-35517
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Confluence Data Center versions 7.19.23 through 8.9.3
Confluence Server versions 7.19.23 through 8.5.11
Apache Commons Compress (affected versions not specified)
Description
The issue is related to the allocation of unlimited memory when reading a specially crafted TAR archive, which can lead to an out of memory error. This could be used to mount a denial of service attack against services that use Compress' tar package.
Recommendations
For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4.
For Confluence Data Center versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.9.4 or 8.5.12 LTS.
For Confluence Data Center versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.9.4 or 8.5.12 LTS or 7.19.25 LTS.
For Confluence Server versions from 8.5.10 to 8.5.11 LTS, upgrade to version 8.5.12 LTS.
For Confluence Server versions from 7.19.23 to 7.19.24 LTS, upgrade to version 8.5.12 LTS or 7.19.25 LTS.
As a temporary workaround, consider restricting the use of the Compress tar package until a patch is available.
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Commons Compress
Confluence
Debian
Red Os
Suse