CVE-2021-35515 Overview
CVE-2021-35515 is a denial of service vulnerability affecting Apache Commons Compress, a widely-used Java library for working with archive and compression formats. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This vulnerability could be exploited to mount a denial of service attack against services that use the Compress' sevenz package.
Critical Impact
This vulnerability enables attackers to cause complete service unavailability by submitting malicious 7Z archive files, potentially disrupting critical enterprise applications across banking, communications, and business process management systems.
Affected Products
- Apache Commons Compress (primary affected component)
- NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
- NetApp OnCommand Insight
- Oracle Banking Digital Experience (versions 19.1, 20.1, 21.1)
- Oracle Banking Enterprise Default Management (version 2.7.0)
- Oracle Banking Party Management (version 2.7.0)
- Oracle Banking Payments (version 14.5)
- Oracle Banking Trade Finance (version 14.5)
- Oracle Banking Treasury Management (version 14.5)
- Oracle Business Process Management Suite (versions 12.2.1.3.0, 12.2.1.4.0)
- Oracle Commerce Guided Search (version 11.3.2)
- Oracle Communications Billing and Revenue Management (version 12.0.0.4)
- Oracle Communications Cloud Native Core products
- Oracle Financial Services Crime and Compliance Management Studio
- Oracle FLEXCUBE Universal Banking
- Oracle PeopleSoft Enterprise PeopleTools (versions 8.57, 8.58, 8.59)
- Oracle Primavera Unifier
- Oracle Communications Messaging Server (version 8.1)
Discovery Timeline
- July 13, 2021 - CVE-2021-35515 published to NVD
- October 2021 - Oracle releases security patches in CPU October 2021
- January 2022 - Additional patches released in Oracle CPU January 2022
- April 2022 - Further patches in Oracle CPU April 2022
- July 2022 - Oracle CPU July 2022 addresses remaining affected products
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35515
Vulnerability Analysis
This vulnerability is classified under CWE-834 (Excessive Iteration) and CWE-835 (Loop with Unreachable Exit Condition). The flaw exists in the way Apache Commons Compress handles the codec list construction when processing 7Z archive entries. When parsing certain malformed 7Z archives, the decompression routine enters an infinite loop, consuming CPU resources indefinitely.
The vulnerability can be triggered remotely over a network connection without requiring authentication or user interaction. An attacker simply needs to deliver a malicious 7Z archive to any service that processes such files using the vulnerable Commons Compress library. The impact is limited to availability—there is no direct path to confidentiality or integrity compromise through this vulnerability alone.
Root Cause
The root cause lies in improper loop termination logic within the sevenz package's codec list construction code. When processing a specially crafted 7Z archive, the code enters a loop that lacks proper exit conditions for certain malformed input scenarios. The loop continues indefinitely, consuming CPU cycles and preventing the application from processing legitimate requests.
This represents a failure in input validation where the archive parsing code does not adequately verify that the codec chain construction will terminate in a finite number of steps. The absence of iteration limits or timeout mechanisms allows the infinite loop condition to persist.
Attack Vector
The attack can be executed over the network by any unauthenticated attacker who can submit a 7Z archive to a vulnerable service. Common attack scenarios include:
File upload endpoints that accept 7Z archives for processing create a direct attack surface. Web applications, document management systems, and data ingestion pipelines that use Apache Commons Compress to handle archive files are all potentially vulnerable.
The malicious archive exploits the codec list parsing by including specially crafted header structures that cause the decompression initialization code to loop infinitely. When a service attempts to read or extract entries from such an archive, the thread becomes blocked in the infinite loop.
Since no proof-of-concept code has been verified for this vulnerability, the technical details of crafting the malicious archive structure are not publicly documented. Administrators should refer to the Apache Commons Compress Security Reports for authoritative technical information.
Detection Methods for CVE-2021-35515
Indicators of Compromise
- Abnormal CPU utilization spikes coinciding with 7Z archive processing operations
- Application threads stuck in infinite loops within org.apache.commons.compress.archivers.sevenz package classes
- Service timeout errors or unresponsiveness when handling 7Z file uploads
- Thread dumps showing repeated execution in Commons Compress codec-related methods
Detection Strategies
- Monitor application performance metrics for sustained high CPU usage during archive operations
- Implement thread monitoring to detect threads blocked for extended periods in compression library code
- Deploy application-level logging around file upload and archive processing endpoints
- Use dependency scanning tools to identify vulnerable versions of Apache Commons Compress in your software inventory
Monitoring Recommendations
- Configure alerting for abnormal CPU consumption patterns in services that process archive files
- Implement request timeout monitoring for file upload and processing endpoints
- Enable JVM thread monitoring to detect stuck threads in production environments
- Audit all applications and dependencies using software composition analysis (SCA) tools to identify Commons Compress usage
How to Mitigate CVE-2021-35515
Immediate Actions Required
- Upgrade Apache Commons Compress to the latest patched version that addresses this vulnerability
- Apply relevant vendor patches from Oracle, NetApp, and other affected product vendors
- Implement request timeouts and resource limits on services that process 7Z archives
- Consider temporarily disabling 7Z archive processing if patches cannot be immediately applied
Patch Information
Apache has released patches addressing this vulnerability. Organizations should upgrade to a fixed version of Apache Commons Compress as documented in the Apache Commons Compress Security Reports.
For Oracle products, patches are available through multiple Critical Patch Updates:
NetApp users should refer to the NetApp Security Advisory NTAP-20211022-0001 for applicable patches.
Workarounds
- Implement execution timeouts around 7Z archive processing operations to prevent indefinite blocking
- Restrict 7Z file uploads to trusted users only until patches can be applied
- Deploy application-layer firewalls or file type filters to block 7Z archives at ingress points
- Isolate archive processing services in resource-constrained containers to limit DoS impact
# Example: Setting Java thread timeout for archive operations
# Add to JVM startup options to limit thread execution time
-XX:+UseThreadPriorities
-XX:ThreadStackSize=256k
# Example: Container resource limits for archive processing service
# docker-compose.yml excerpt
# deploy:
# resources:
# limits:
# cpus: '1.0'
# memory: 512M
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
