{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"apache-commons-compress security update", "category":"general", "title":"Synopsis" }, { "text":"An update for apache-commons-compress is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.", "category":"general", "title":"Summary" }, { "text":"The Apache Commons Compress library defines an API for working with ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200 and bzip2 files.\n\nSecurity Fix(es):\n\nWhen reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.(CVE-2021-35517)\n\nWhen reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.(CVE-2021-35516)\n\nWhen reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.(CVE-2021-35515)\n\nWhen reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.(CVE-2021-36090)", "category":"general", "title":"Description" }, { "text":"An update for apache-commons-compress is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"apache-commons-compress", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1302", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1302" }, { "summary":"CVE-2021-35517", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-35517&packageName=apache-commons-compress" }, { "summary":"CVE-2021-35516", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-35516&packageName=apache-commons-compress" }, { "summary":"CVE-2021-35515", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-35515&packageName=apache-commons-compress" }, { "summary":"CVE-2021-36090", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-36090&packageName=apache-commons-compress" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35517" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35516" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35515" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36090" }, { "summary":"openEuler-SA-2021-1302 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1302.json" } ], "title":"An update for apache-commons-compress is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2", "tracking":{ "initial_release_date":"2021-08-06T09:21:41+08:00", "revision_history":[ { "date":"2021-08-06T09:21:41+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:21:41+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:21:41+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:21:41+08:00", "id":"openEuler-SA-2021-1302", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"openEuler-20.03-LTS-SP2", "name":"openEuler-20.03-LTS-SP2" }, "name":"openEuler-20.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"apache-commons-compress-1.21-1.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"apache-commons-compress-1.21-1.oe1.noarch.rpm" }, "name":"apache-commons-compress-1.21-1.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm" }, "name":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"apache-commons-compress-1.21-1.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"apache-commons-compress-1.21-1.oe1.noarch.rpm" }, "name":"apache-commons-compress-1.21-1.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm" }, "name":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"apache-commons-compress-1.21-1.oe1.src.rpm(20.03-LTS-SP1)", "name":"apache-commons-compress-1.21-1.oe1.src.rpm" }, "name":"apache-commons-compress-1.21-1.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"apache-commons-compress-1.21-1.oe1.src.rpm(20.03-LTS-SP2)", "name":"apache-commons-compress-1.21-1.oe1.src.rpm" }, "name":"apache-commons-compress-1.21-1.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"apache-commons-compress-1.21-1.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "name":"apache-commons-compress-1.21-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "name":"apache-commons-compress-help-1.21-1.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"apache-commons-compress-1.21-1.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "name":"apache-commons-compress-1.21-1.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"apache-commons-compress-help-1.21-1.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "name":"apache-commons-compress-help-1.21-1.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"apache-commons-compress-1.21-1.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "name":"apache-commons-compress-1.21-1.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"apache-commons-compress-1.21-1.oe1.src.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src", "name":"apache-commons-compress-1.21-1.oe1.src as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-35517", "notes":[ { "text":"When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ], "details":"apache-commons-compress security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1302" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-35517" }, { "cve":"CVE-2021-35516", "notes":[ { "text":"When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ], "details":"apache-commons-compress security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1302" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-35516" }, { "cve":"CVE-2021-35515", "notes":[ { "text":"When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ], "details":"apache-commons-compress security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1302" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-35515" }, { "cve":"CVE-2021-36090", "notes":[ { "text":"When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ], "details":"apache-commons-compress security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1302" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-commons-compress-help-1.21-1.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-commons-compress-1.21-1.oe1.src", "openEuler-20.03-LTS-SP2:apache-commons-compress-1.21-1.oe1.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-36090" } ] }