Lucene search

K
ibmIBM9E0785F08078A693830D9375FB362720BEF15FAEDDCF6AF11F7E847FC4F2B207
HistoryDec 13, 2021 - 10:01 a.m.

Security Bulletin: Novalink is impacted by Vulnerabilities in Apache Commons Compress affect WebSphere Application Server (CVE-2021-35517, CVE-2021-36090)

2021-12-1310:01:39
www.ibm.com
7

EPSS

0.014

Percentile

86.2%

Summary

Novalink uses WebSphere Application Server Liberty. There is an Apache Commons Compress affect vulnerability. This has been addressed.

Vulnerability Details

CVEID:CVE-2021-35517
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compressโ€™ tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-36090
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compressโ€™ zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
NovaLink 1.0.0.16
Novalink 2.0.0.0
Novalink 2.0.1
Novalink 2.0.2

Remediation/Fixes

For Novalink 1.0.0.16 update to 1.0.0.16-211129 or later.

For Novalink 2.0.0.0, 2.0.1, 2.0.2 or 2.0.2.1 to 2.0.1-211202 or 2.0.2.1-211125 respectively.

Workarounds and Mitigations

None

EPSS

0.014

Percentile

86.2%