CVE-2021-35516

high-risk

Published 2021-07-13

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Do I need to act?

1.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Active Iq Unified Manager

Oncommand Insight

Banking Digital Experience

Banking Enterprise Default Management

Banking Party Management

Business Process Management Suite

Commerce Guided Search

Communications Billing And Revenue Management

Communications Cloud Native Core Automated Test Suite

Communications Cloud Native Core Service Communication Proxy

Communications Cloud Native Core Unified Data Repository

Communications Diameter Intelligence Hub

Communications Session Route Manager

Financial Services Crime And Compliance Management Studio

Affected Vendors

Apache Oracle Netapp

References (36)

Mailing List http://www.openwall.com/lists/oss-security/2021/07/13/2

Vendor Advisory https://commons.apache.org/proper/commons-compress/security-reports.html

https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec...

https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b2334...

https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c5...

https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef659795108319...

https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef1...

https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed9...

https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede...

https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958c...

https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821...

Mailing List https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f3...

https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897...

Third Party Advisory https://security.netapp.com/advisory/ntap-20211022-0001/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Patch https://www.oracle.com/security-alerts/cpujan2022.html

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Patch https://www.oracle.com/security-alerts/cpuoct2021.html

Mailing List http://www.openwall.com/lists/oss-security/2021/07/13/2

Vendor Advisory https://commons.apache.org/proper/commons-compress/security-reports.html

and 16 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 25/34 · High