CVE-2021-35515
📋 TL;DR
CVE-2021-35515 is a denial-of-service vulnerability in Apache Commons Compress's 7Z archive handling. When processing a specially crafted 7Z file, the codec list construction can enter an infinite loop, causing resource exhaustion. This affects any service or application that uses the vulnerable commons-compress library to process 7Z archives.
💻 Affected Systems
- Apache Commons Compress
📦 What is this software?
Banking Enterprise Default Management by Oracle
View all CVEs affecting Banking Enterprise Default Management →
Business Process Management Suite by Oracle
Business Process Management Suite by Oracle
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Automated Test Suite by Oracle
View all CVEs affecting Communications Cloud Native Core Automated Test Suite →
Communications Cloud Native Core Service Communication Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Service Communication Proxy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Diameter Intelligence Hub by Oracle
View all CVEs affecting Communications Diameter Intelligence Hub →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion (CPU/memory) when processing malicious 7Z archives, potentially affecting multiple services simultaneously.
Likely Case
Service degradation or temporary unavailability for systems that process user-uploaded 7Z files, requiring manual intervention to restart affected services.
If Mitigated
Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block malicious archives before processing.
🎯 Exploit Status
Exploitation requires only the ability to submit a specially crafted 7Z file to a vulnerable service. Proof-of-concept details are publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Commons Compress 1.21
Vendor Advisory: https://commons.apache.org/proper/commons-compress/security-reports.html
Restart Required: Yes
Instructions:
1. Identify all applications using Apache Commons Compress. 2. Update commons-compress dependency to version 1.21 or later. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.
🔧 Temporary Workarounds
Input validation and filtering
allImplement strict validation of 7Z files before processing, including file size limits and format validation.
Process isolation
linuxRun 7Z archive processing in isolated containers or processes with resource limits to prevent system-wide impact.
docker run --memory=512m --cpus=1.0 your_app
🧯 If You Can't Patch
- Implement strict rate limiting on 7Z file uploads/processing to limit attack impact
- Deploy WAF rules to detect and block malicious 7Z archives before they reach vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check your application's dependencies for Apache Commons Compress versions 1.15 through 1.20. For Maven projects: mvn dependency:tree | grep commons-compress. For Gradle: gradle dependencies | grep commons-compress.Check Version:
java -cp commons-compress.jar org.apache.commons.compress.utils.IOUtils 2>&1 | grep version || echo "Check pom.xml or build.gradle for version"Verify Fix Applied:
Verify commons-compress version is 1.21 or later. Test with known safe 7Z archives to ensure processing works correctly without resource exhaustion.📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for 7Z files
- High CPU/memory usage spikes during archive processing
- Service restarts or crashes when handling archives
Network Indicators:
- Multiple 7Z file uploads from single source in short time
- Unusual archive file sizes or patterns
SIEM Query:
source="application.logs" AND ("7z" OR "sevenz") AND ("timeout" OR "hang" OR "high cpu" OR "out of memory")🔗 References
- http://www.openwall.com/lists/oss-security/2021/07/13/1
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://www.openwall.com/lists/oss-security/2021/07/13/1
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
