Security Bulletin: Apache Commons Compress Denial of Service Vulnerability Affects IBM Sterling Control Center (CVE-2021-35516)


## Summary When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. ## Vulnerability Details ** CVEID: **[CVE-2021-35516](<https://vulners.com/cve/CVE-2021-35516>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' sevenz package. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205306](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205306>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- IBM Sterling Control Center| ## Remediation/Fixes **Product** | **VRMF** | **iFix** | **Remediation** ---|---|---|--- IBM Sterling Control Center | | iFix11 | [Fix Central -](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=>) ## Workarounds and Mitigations None ##

Affected Software

CPE Name Name Version
ibm control center