CVE-2021-35516

Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Remediation

Workaround:

  • Commons Compress users should upgrade to 1.21 or later. With Compress 1.19 we introduced a feature that tries to recover broken 7z archives, which makes it far easier to exploit this weakness. As a result we have disabled the recovery code by default and users need to enable it explicitly. In addition users are able to control the amount of memory SevenZFile may use and we strongly recommend using this feature when trying to recover broken archives.

Categories

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.36%
Vendor Advisory apache.org Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Commons Compress
Published at:
Updated at:

References

Link Tags
https://commons.apache.org/proper/commons-compress/security-reports.html vendor advisory
https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E mailing list vendor advisory
http://www.openwall.com/lists/oss-security/2021/07/13/2 third party advisory mailing list
https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91%40%3Cannounce.apache.org%3E mailing list
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E mailing list
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E mailing list
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E mailing list
https://www.oracle.com/security-alerts/cpuoct2021.html third party advisory patch
https://www.oracle.com/security-alerts/cpujan2022.html third party advisory patch
https://security.netapp.com/advisory/ntap-20211022-0001/ third party advisory
https://www.oracle.com/security-alerts/cpuapr2022.html third party advisory patch
https://www.oracle.com/security-alerts/cpujul2022.html third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-35516?
CVE-2021-35516 has been scored as a high severity vulnerability.
How to fix CVE-2021-35516?
As a workaround for remediating CVE-2021-35516: Commons Compress users should upgrade to 1.21 or later. With Compress 1.19 we introduced a feature that tries to recover broken 7z archives, which makes it far easier to exploit this weakness. As a result we have disabled the recovery code by default and users need to enable it explicitly. In addition users are able to control the amount of memory SevenZFile may use and we strongly recommend using this feature when trying to recover broken archives.
Is CVE-2021-35516 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-35516 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-35516?
CVE-2021-35516 affects Apache Software Foundation Apache Commons Compress.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.