Lucene search

K
ibmIBMB07B2DDB76A96BB8480E22188347E3C9EE42A03F24868518880519216E52F154
HistoryJan 14, 2022 - 11:47 p.m.

Security Bulletin: Apache commons-compress security vulnerabilities in IBM Content Manager

2022-01-1423:47:05
www.ibm.com
39

EPSS

0.025

Percentile

90.2%

Summary

Apache commons-compress security vulnerabilities in IBM Content Navigator (ICN) toolkit affecting Administration Console for Content Platform Engine (ACCE)

Vulnerability Details

CVEID:CVE-2021-35516
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205306 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-35517
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-35515
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw in the construction of the list of codecs that decompress an entry. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ sevenz package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205304 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-36090
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
FileNet Content Manager 5.5.4
FileNet Content Manager 5.5.6
FileNet Content Manager 5.5.7

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to upgrade to Resolved by Apache commons-compress.jar v1.21 or higher.

Product VRMF APAR Remediation/First Fix
FileNet Content Manager

5.5.4

5.5.6

5.5.7

| PJ46648
PJ46648
PJ46648
PJ46648| 5.5.4.0-P8CPE-IF006 - 10/7/2021
5.5.6.0-P8CPE-ALL-LA014 - 11/19/2021
5.5.6.0-P8CPE-IF003 - 1/14/2022
5.5.7.0-P8CPE-IF001 - 9/17/2021

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

None

EPSS

0.025

Percentile

90.2%