CVE-2021-35517
📋 TL;DR
CVE-2021-35517 is a denial-of-service vulnerability in Apache Commons Compress where specially crafted TAR archives can trigger excessive memory allocation, leading to out-of-memory errors. This affects any service or application that uses the vulnerable Compress library to process TAR files, potentially causing service disruption.
💻 Affected Systems
- Apache Commons Compress
📦 What is this software?
Banking Enterprise Default Management by Oracle
View all CVEs affecting Banking Enterprise Default Management →
Business Process Management Suite by Oracle
Business Process Management Suite by Oracle
Communications Billing And Revenue Management by Oracle
View all CVEs affecting Communications Billing And Revenue Management →
Communications Cloud Native Core Service Communication Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Service Communication Proxy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Diameter Intelligence Hub by Oracle
View all CVEs affecting Communications Diameter Intelligence Hub →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially affecting multiple services on the same host if memory is fully consumed.
Likely Case
Targeted service becomes unresponsive or crashes when processing malicious TAR archives, requiring manual intervention to restore service.
If Mitigated
Limited impact with proper memory limits and monitoring; service may degrade but not fully crash.
🎯 Exploit Status
Exploitation requires only the ability to submit a specially crafted TAR file to a vulnerable service. Public proof-of-concept code exists demonstrating the memory exhaustion attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Commons Compress 1.22
Vendor Advisory: https://commons.apache.org/proper/commons-compress/security-reports.html
Restart Required: Yes
Instructions:
1. Identify all applications using Apache Commons Compress. 2. Update the commons-compress dependency to version 1.22 or later. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.
🔧 Temporary Workarounds
Implement memory limits
allSet JVM memory limits and implement monitoring to detect and restart services experiencing memory exhaustion.
java -Xmx512m -Xms256m -jar your-application.jar
Input validation and filtering
allImplement file type validation and size limits for TAR file uploads before passing to Compress library.
🧯 If You Can't Patch
- Implement strict file upload controls and only accept TAR files from trusted sources
- Deploy memory monitoring and automated restart mechanisms for services processing TAR files
🔍 How to Verify
Check if Vulnerable:
Check the commons-compress version in your application's dependencies. If using Maven: mvn dependency:tree | grep commons-compress. If using Gradle: gradle dependencies | grep commons-compress.Check Version:
java -cp commons-compress.jar org.apache.commons.compress.utils.IOUtils (check manifest) or check pom.xml/build.gradle for versionVerify Fix Applied:
Verify the commons-compress version is 1.22 or higher in your application's dependencies after update.📡 Detection & Monitoring
Log Indicators:
- OutOfMemoryError exceptions in application logs
- JVM heap dump generation
- Service restart events following memory exhaustion
Network Indicators:
- Unusually large TAR file uploads to services
- Repeated TAR file uploads from single sources
SIEM Query:
source="application.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError") AND "commons.compress"🔗 References
- http://www.openwall.com/lists/oss-security/2021/07/13/3
- http://www.openwall.com/lists/oss-security/2021/07/13/5
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://www.openwall.com/lists/oss-security/2021/07/13/3
- http://www.openwall.com/lists/oss-security/2021/07/13/5
- https://commons.apache.org/proper/commons-compress/security-reports.html
- https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
- https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
- https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
- https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
- https://security.netapp.com/advisory/ntap-20211022-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
