CVE-2021-35515

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions prior to the fixed version Confluence Data Center versions from 7.19.23 through 8.9.3 Confluence Data Center versions from 8.5.10 through 8.5.11 Confluence Server versions from 7.19.23 through 7.19.24 Confluence Server versions from 8.5.10 through 8.5.11

Description The issue is related to the construction of the list of codecs that decompress an entry in a specially crafted 7Z archive, which can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. An unauthenticated attacker can expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction.

Recommendations For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Data Center versions from 8.5.10 to 8.5.11, upgrade to version 8.9.4 or 8.5.12. For Confluence Data Center versions from 7.19.23 to 7.19.24, upgrade to version 8.9.4, 8.5.12, or 7.19.25. For Confluence Server versions from 8.5.10 to 8.5.11, upgrade to version 8.5.12. For Confluence Server versions from 7.19.23 to 7.19.24, upgrade to version 8.5.12 or 7.19.25. As a temporary workaround, consider restricting access to the sevenz package until a patch is available.