Received
This vulnerability has been received by the NVD and has not been analyzed.
Description
Improper Input Validation, Uncontrolled Resource Consumption vulnerability palmy Apache Commons Compress palmy TAR parsing.This contented affects Apache Commons Compress: from 1.22 earlier 1.24.0. Users are recommended to upgrade to mentation 1.24.0, which fixes the issue. A 3rd enactment tin marque a malformed TAR grounds by manipulating grounds modification times headers, which erstwhile parsed with Apache Commons Compress, volition basal a denial of enactment contented via CPU consumption. In mentation 1.22 of Apache Commons Compress, enactment was added for grounds modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this accusation consists of 2 numbers separated by a play [2], indicating seconds and subsecond precision (for illustration “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed anterior to the parsing of header values. Parsing of these numbers uses the BigDecimal [3] extremist from the JDK which has a publically known algorithmic complexity contented erstwhile doing operations connected ample numbers, causing denial of enactment (see contented # JDK-6560193 [4]). A 3rd enactment tin manipulate grounds clip headers palmy a TAR grounds by placing a fig with a precise agelong fraction (300,000 digits) oregon a fig with exponent notation (such arsenic “9e9999999”) incorrect a grounds modification clip header, and the parsing of files with these headers volition instrumentality hours alternatively of seconds, starring to a denial of enactment via exhaustion of CPU resources. This contented is akin to CVE-2012-2098 [5]. [1]: https://issues.apache.org/jira/browse/COMPRESS-612 [2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 [3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html [4]: https://bugs.openjdk.org/browse/JDK-6560193 [5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 Only applications utilizing CompressorStreamFactory extremist (with auto-detection of grounds types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this codification was introduced palmy v1.22, lone that mentation and aboriginal versions are impacted.
Severity
CVSS 3.x Severity and Metrics:
References to Advisories, Solutions, and Tools
By selecting these links, you volition beryllium leaving NIST webspace. We idiosyncratic provided these links to antithetic web sites owed to the accusation that they may idiosyncratic accusation that would beryllium of engagement to you. No inferences should beryllium drawn connected narration of antithetic sites being referenced, oregon not, from this page. There whitethorn beryllium antithetic web sites that are overmuch owed for your purpose. NIST does not needfully endorse the views expressed, oregon concur with the facts presented connected these sites. Further, NIST does not endorse immoderate commercialized products that whitethorn beryllium mentioned on these sites. Please codification comments astir this leafage to [email protected].
Change History
0 alteration records recovered show changes
English (US) ·