CVE-2021-35515

high-risk

Published 2021-07-13

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Do I need to act?

0.60% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Commons Compress

Active Iq Unified Manager

Oncommand Insight

Banking Digital Experience

Banking Enterprise Default Management

Banking Party Management

Banking Payments

Banking Trade Finance

Banking Treasury Management

Business Process Management Suite

Commerce Guided Search

Communications Billing And Revenue Management

Communications Cloud Native Core Automated Test Suite

Communications Cloud Native Core Service Communication Proxy

Affected Vendors

Apache Oracle Netapp

References (42)

Mailing List http://www.openwall.com/lists/oss-security/2021/07/13/1

Vendor Advisory https://commons.apache.org/proper/commons-compress/security-reports.html

Vendor Advisory https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c8...

https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec...

https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b2334...

https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e65...

https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c5...

https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef659795108319...

https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef1...

https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed9...

https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede...

https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb...

https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c...

https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958c...

https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd0067...

https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897...

Third Party Advisory https://security.netapp.com/advisory/ntap-20211022-0001/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html

and 22 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 25/34 · High