Lucene search

K
ibmIBM488DB87E4D3C81B7E74DE606C38F39FCFF97474D4F2931354B52CC01006F867B
HistoryNov 16, 2021 - 7:39 p.m.

Security Bulletin: Apache Commons Compress Denial of Service Vulnerability Affects IBM Sterling Control Center (CVE-2021-35515)

2021-11-1619:39:48
www.ibm.com
27
apache commons compress
denial of service
ibm sterling control center
cve-2021-35515
7z archive

EPSS

0.023

Percentile

90.2%

Summary

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress’ sevenz package.

Vulnerability Details

CVEID:CVE-2021-35515
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw in the construction of the list of codecs that decompress an entry. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205304 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Control Center 6.2.0.0

Remediation/Fixes

Product

|

VRMF

|

iFix

|

Remediation

—|—|—|—

IBM Sterling Control Center

|

6.2.0.0

|

iFix11

|

Fix Central - 6.2.0.0

Workarounds and Mitigations

None

EPSS

0.023

Percentile

90.2%