Lucene search

K
ibmIBM2494FA18EBA69E49E0C9B21340A86FBCE7BF93F9CB851C89E87B389A942B8EB4
HistorySep 24, 2021 - 10:36 p.m.

Security Bulletin: Integrated application server and integrated web services for IBM i are affected by CVE-2021-35517 and CVE-2021-36090

2021-09-2422:36:57
www.ibm.com
8

EPSS

0.014

Percentile

86.2%

Summary

There are multiple vulnerabilities in the Apache Commons Compress library as described in the vulnerability details section. The Apache Commons Compress library is used by WebSphere Application Server Liberty on IBM i. WebSphere Application Server Liberty is the runtime that is used by integrated application server and integrated web services server. IBM i has addressed the vulnerability in the WebSphere Application Server Liberty implementation.

Vulnerability Details

CVEID:CVE-2021-35517
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-36090
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM i 7.4
IBM i 7.3
IBM i 7.2

Remediation/Fixes

The issues can be fixed by applying a PTF to IBM i.
Releases 7.4, 7.3, and 7.2 of IBM i are supported and will be fixed.
The IBM i PTF numbers containing the fix for the CVEs are:

**Release 7.4 – SI77224 ****Release 7.3 – SI77225 **Release 7.2 – SI77226

** **<https://www.ibm.com/support/fixcentral/&gt;

_Important note: __IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
_

Workarounds and Mitigations

None

EPSS

0.014

Percentile

86.2%