CVE-2021-35517: Apache Commons Compress DoS Vulnerability

CVE-2021-35517 Overview

CVE-2021-35517 is a denial of service vulnerability in Apache Commons Compress that allows attackers to cause excessive memory allocation when processing specially crafted TAR archive files. The vulnerability exists in the TAR parsing functionality, where malicious archive metadata can trigger the allocation of large amounts of memory, ultimately leading to an out-of-memory error even when processing very small input files.

This vulnerability is particularly concerning for services that accept and process TAR archives from untrusted sources, as it can be exploited remotely without authentication to disrupt service availability.

Critical Impact
Remote attackers can exhaust server memory and cause denial of service by submitting maliciously crafted TAR archives, impacting availability of applications using Apache Commons Compress for archive processing.

Affected Products

Apache Commons Compress (vulnerable versions prior to patch)
NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
NetApp OnCommand Insight
Oracle Banking APIs (versions 19.1, 19.2, 20.1, 21.1)
Oracle Banking Digital Experience (versions 19.1, 19.2, 20.1, 21.1)
Oracle Banking Enterprise Default Management 2.7.0
Oracle Banking Party Management 2.7.0
Oracle Banking Payments 14.5
Oracle Banking Trade Finance 14.5
Oracle Banking Treasury Management 14.5
Oracle Business Process Management Suite (12.2.1.3.0, 12.2.1.4.0)
Oracle Commerce Guided Search 11.3.2
Oracle Communications Billing and Revenue Management 12.0.0.4
Oracle Communications Cloud Native Core Service Communication Proxy 1.14.0
Oracle Communications Cloud Native Core Unified Data Repository 1.14.0
Oracle Communications Diameter Intelligence Hub
Oracle Communications Session Route Manager
Oracle Communications Messaging Server 8.1
Oracle Financial Services Crime and Compliance Management Studio
Oracle Financial Services Enterprise Case Management
Oracle FLEXCUBE Universal Banking (12.4, 14.5)
Oracle Healthcare Data Repository 8.1.0
Oracle Insurance Policy Administration (11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1)
Oracle PeopleSoft Enterprise PeopleTools (8.57, 8.58, 8.59)
Oracle Primavera Unifier (18.8, 19.12, 20.12)
Oracle Utilities Testing Accelerator
Oracle WebCenter Portal (12.2.1.3.0, 12.2.1.4.0)

Discovery Timeline

July 13, 2021 - CVE-2021-35517 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-35517

Vulnerability Analysis

The vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling, CWE-130: Improper Handling of Length Parameter Inconsistency) resides in Apache Commons Compress's TAR archive processing functionality. When parsing TAR file headers, the library reads size fields from the archive metadata without properly validating them against reasonable bounds. An attacker can craft a TAR archive with manipulated header fields that specify extremely large file sizes or entry counts.

When the library processes such an archive, it attempts to allocate memory buffers based on these untrusted size values. Since there is no upper limit validation, even a small malicious TAR file (potentially just a few kilobytes) can instruct the application to allocate gigabytes of memory, rapidly exhausting available heap space and causing an OutOfMemoryError.

This vulnerability is exploitable over the network without any authentication or user interaction, making it particularly dangerous for web services, file upload endpoints, or any application that processes TAR archives from external sources.

Root Cause

The root cause is improper validation of length parameters in TAR archive headers. The Commons Compress library trusts the size values embedded in TAR file headers without implementing reasonable upper bounds or resource limits. This allows attackers to specify arbitrarily large allocation sizes in the archive metadata, which the library then attempts to honor, leading to resource exhaustion.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker crafts a malicious TAR archive with manipulated header fields containing exaggerated size values. When this archive is processed by an application using the vulnerable Apache Commons Compress library, the following occurs:

The application receives the malicious TAR archive (via file upload, API endpoint, or other input mechanism)
Commons Compress parses the TAR headers and reads the manipulated size fields
The library allocates memory buffers based on the untrusted size values
Memory allocation spirals out of control, exhausting available heap space
The JVM throws an OutOfMemoryError, causing service disruption or crash

The vulnerability does not require the malicious archive to contain actual data matching the declared sizes—the mere act of parsing the headers triggers the excessive allocation.

Detection Methods for CVE-2021-35517

Indicators of Compromise

Sudden spikes in JVM heap memory usage when processing TAR archives
OutOfMemoryError exceptions in application logs related to archive processing
Application or service crashes following TAR file upload or processing operations
Unusually small TAR files causing disproportionate memory consumption
High memory allocation rates in garbage collection logs

Detection Strategies

Monitor JVM heap usage patterns and alert on anomalous memory allocation spikes during archive processing
Implement application-level logging around TAR parsing operations to track memory consumption
Use dependency scanning tools (OWASP Dependency-Check, Snyk, etc.) to identify vulnerable Commons Compress versions in your codebase
Review Software Bill of Materials (SBOM) for transitive dependencies on affected Commons Compress versions
Deploy web application firewalls (WAF) with rules to inspect uploaded archives for suspicious metadata

Monitoring Recommendations

Configure JVM memory monitoring with threshold-based alerting for rapid heap growth
Implement request-level timeout and resource limits for archive processing endpoints
Enable verbose garbage collection logging to detect memory pressure patterns
Monitor application availability and restart frequency as DoS indicators
Track archive processing duration metrics to identify abnormally long operations

How to Mitigate CVE-2021-35517

Immediate Actions Required

Identify all applications and services using Apache Commons Compress for TAR processing
Inventory all instances of the vulnerable library including transitive dependencies
Upgrade Apache Commons Compress to the patched version immediately
Implement memory limits and timeouts for archive processing operations as a defense-in-depth measure
Consider temporarily disabling TAR archive processing functionality if patches cannot be applied immediately

Patch Information

Apache has released security patches to address this vulnerability. Users should upgrade to the fixed version of Apache Commons Compress as documented in the Apache Commons Compress Security Reports. Oracle has also released patches for affected Oracle products through their Critical Patch Updates—refer to the Oracle October 2021 CPU, Oracle January 2022 CPU, Oracle April 2022 CPU, and Oracle July 2022 CPU for product-specific guidance. NetApp users should consult their security advisory for Active IQ Unified Manager and OnCommand Insight.

Workarounds

Implement input validation to restrict the maximum acceptable size of uploaded TAR archives before processing
Configure JVM memory limits (-Xmx) to prevent complete system resource exhaustion
Deploy request timeouts on endpoints that process archive files to abort long-running operations
Use containerization or sandboxing to isolate archive processing and limit resource consumption per request
Implement rate limiting on file upload endpoints to reduce the potential impact of DoS attempts

bash

# Example JVM configuration to limit heap and set timeouts
# Add to application startup script or container configuration
java -Xmx512m -Xms256m \
  -XX:+HeapDumpOnOutOfMemoryError \
  -XX:HeapDumpPath=/var/log/heapdumps \
  -jar your-application.jar

CVE-2021-35517 Overview

Critical Impact
Remote attackers can exhaust server memory and cause denial of service by submitting maliciously crafted TAR archives, impacting availability of applications using Apache Commons Compress for archive processing.

Affected Products

Apache Commons Compress (vulnerable versions prior to patch)
NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
NetApp OnCommand Insight
Oracle Banking APIs (versions 19.1, 19.2, 20.1, 21.1)
Oracle Banking Digital Experience (versions 19.1, 19.2, 20.1, 21.1)
Oracle Banking Enterprise Default Management 2.7.0
Oracle Banking Party Management 2.7.0
Oracle Banking Payments 14.5
Oracle Banking Trade Finance 14.5
Oracle Banking Treasury Management 14.5
Oracle Business Process Management Suite (12.2.1.3.0, 12.2.1.4.0)
Oracle Commerce Guided Search 11.3.2
Oracle Communications Billing and Revenue Management 12.0.0.4
Oracle Communications Cloud Native Core Service Communication Proxy 1.14.0
Oracle Communications Cloud Native Core Unified Data Repository 1.14.0
Oracle Communications Diameter Intelligence Hub
Oracle Communications Session Route Manager
Oracle Communications Messaging Server 8.1
Oracle Financial Services Crime and Compliance Management Studio
Oracle Financial Services Enterprise Case Management
Oracle FLEXCUBE Universal Banking (12.4, 14.5)
Oracle Healthcare Data Repository 8.1.0
Oracle Insurance Policy Administration (11.0.2, 11.1.0, 11.2.8, 11.3.0, 11.3.1)
Oracle PeopleSoft Enterprise PeopleTools (8.57, 8.58, 8.59)
Oracle Primavera Unifier (18.8, 19.12, 20.12)
Oracle Utilities Testing Accelerator
Oracle WebCenter Portal (12.2.1.3.0, 12.2.1.4.0)

Discovery Timeline

July 13, 2021 - CVE-2021-35517 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-35517

Vulnerability Analysis

Root Cause

Attack Vector

The application receives the malicious TAR archive (via file upload, API endpoint, or other input mechanism)
Commons Compress parses the TAR headers and reads the manipulated size fields
The library allocates memory buffers based on the untrusted size values
Memory allocation spirals out of control, exhausting available heap space
The JVM throws an OutOfMemoryError, causing service disruption or crash

The vulnerability does not require the malicious archive to contain actual data matching the declared sizes—the mere act of parsing the headers triggers the excessive allocation.

Detection Methods for CVE-2021-35517

Indicators of Compromise

Sudden spikes in JVM heap memory usage when processing TAR archives
OutOfMemoryError exceptions in application logs related to archive processing
Application or service crashes following TAR file upload or processing operations
Unusually small TAR files causing disproportionate memory consumption
High memory allocation rates in garbage collection logs

Detection Strategies

Monitor JVM heap usage patterns and alert on anomalous memory allocation spikes during archive processing
Implement application-level logging around TAR parsing operations to track memory consumption
Use dependency scanning tools (OWASP Dependency-Check, Snyk, etc.) to identify vulnerable Commons Compress versions in your codebase
Review Software Bill of Materials (SBOM) for transitive dependencies on affected Commons Compress versions
Deploy web application firewalls (WAF) with rules to inspect uploaded archives for suspicious metadata

Monitoring Recommendations

Configure JVM memory monitoring with threshold-based alerting for rapid heap growth
Implement request-level timeout and resource limits for archive processing endpoints
Enable verbose garbage collection logging to detect memory pressure patterns
Monitor application availability and restart frequency as DoS indicators
Track archive processing duration metrics to identify abnormally long operations

How to Mitigate CVE-2021-35517

Immediate Actions Required

Identify all applications and services using Apache Commons Compress for TAR processing
Inventory all instances of the vulnerable library including transitive dependencies
Upgrade Apache Commons Compress to the patched version immediately
Implement memory limits and timeouts for archive processing operations as a defense-in-depth measure
Consider temporarily disabling TAR archive processing functionality if patches cannot be applied immediately

Patch Information

Workarounds

Implement input validation to restrict the maximum acceptable size of uploaded TAR archives before processing
Configure JVM memory limits (-Xmx) to prevent complete system resource exhaustion
Deploy request timeouts on endpoints that process archive files to abort long-running operations
Use containerization or sandboxing to isolate archive processing and limit resource consumption per request
Implement rate limiting on file upload endpoints to reduce the potential impact of DoS attempts

bash

# Example JVM configuration to limit heap and set timeouts
# Add to application startup script or container configuration
java -Xmx512m -Xms256m \
  -XX:+HeapDumpOnOutOfMemoryError \
  -XX:HeapDumpPath=/var/log/heapdumps \
  -jar your-application.jar

CVE-2021-35517: Apache Commons Compress DoS Vulnerability

CVE-2021-35517 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-35517

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-35517

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-35517

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-35517: Apache Commons Compress DoS Vulnerability

CVE-2021-35517 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-35517

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-35517

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-35517

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform