CVE-2021-36374 Overview
CVE-2021-36374 is a Denial of Service vulnerability affecting Apache Ant, a widely-used Java-based build automation tool. When reading a specially crafted ZIP archive, or derived formats such as JAR files and office documents, an Apache Ant build process can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This vulnerability can be exploited to disrupt builds using Apache Ant, potentially causing significant disruption to development and deployment pipelines.
Critical Impact
An attacker can craft malicious ZIP-based files that, when processed by Apache Ant during a build, cause memory exhaustion and crash the build process—disrupting CI/CD pipelines and software delivery workflows.
Affected Products
- Apache Ant prior to version 1.9.16
- Apache Ant prior to version 1.10.11
- Oracle Agile Engineering Data Management 6.2.1.0
- Oracle Agile PLM 9.3.6
- Oracle Communications Cloud Native Core Automated Test Suite 1.9.0
- Oracle Primavera Gateway (multiple versions)
- Oracle Primavera Unifier 18.8, 19.12, 20.12
- Oracle Retail XStore Point of Service (multiple versions)
- Oracle Utilities Framework (multiple versions)
- Over 30 additional Oracle products incorporating Apache Ant
Discovery Timeline
- July 14, 2021 - CVE CVE-2021-36374 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-36374
Vulnerability Analysis
This vulnerability falls under CWE-130 (Improper Handling of Length Parameter Inconsistency). The flaw exists in Apache Ant's ZIP archive handling routines, where the software fails to properly validate or limit memory allocation when processing compressed archive metadata. When Ant processes a ZIP file, it trusts certain length fields embedded in the archive structure to allocate memory buffers. An attacker can craft a malicious archive with inflated size declarations that do not correspond to actual data, causing Ant to attempt to allocate massive amounts of memory.
The attack is particularly concerning because ZIP-based formats are ubiquitous in Java ecosystems. JAR files (Java Archives), WAR files (Web Application Archives), and many office document formats (DOCX, XLSX, etc.) are all based on the ZIP format. This means any build process that handles these common file types through Apache Ant could be vulnerable to this denial of service attack.
Root Cause
The root cause of CVE-2021-36374 is improper handling of length parameter inconsistencies in ZIP archive processing. Apache Ant's archive handling code reads size fields from the ZIP file header and uses these values to allocate memory buffers without adequate validation. When a specially crafted archive contains header values declaring extremely large file sizes that differ dramatically from the actual compressed content, Ant allocates memory based on the declared (malicious) sizes rather than the actual data present.
This design flaw allows for a disproportionate resource consumption attack where a very small input file can trigger the allocation of gigabytes of memory, exhausting available heap space and causing an OutOfMemoryError that crashes the JVM running the Ant build.
Attack Vector
The attack requires local access or the ability to inject a malicious file into a build pipeline. The attacker must craft a ZIP archive (or a ZIP-derived format like JAR) with manipulated header fields that declare large uncompressed sizes. When this malicious file is processed by Apache Ant during tasks such as unzip, unjar, or any task that reads ZIP-based archives, the vulnerable code attempts to allocate memory according to the malicious size declarations.
The attack vector is local (AV:L), requires user interaction (UI:R) in the sense that a build process must be triggered, and requires no special privileges (PR:N). While the attack does not compromise confidentiality or integrity, it achieves high impact on availability (A:H) by causing the build process to crash with an out of memory error.
Exploitation typically occurs when a malicious archive is introduced into a source code repository, build artifact cache, or dependency resolution system. Automated CI/CD pipelines that process these archives without manual review are particularly susceptible.
Detection Methods for CVE-2021-36374
Indicators of Compromise
- Build process failures with java.lang.OutOfMemoryError exceptions during ZIP/JAR extraction tasks
- Abnormal memory consumption spikes during Ant build execution
- Presence of unusually small ZIP or JAR files that claim extremely large uncompressed sizes
- Build logs showing memory allocation failures during unzip, unjar, or similar archive tasks
Detection Strategies
- Monitor build server memory utilization and establish baselines for normal build processes
- Implement file integrity checks on build inputs, particularly for archive files from external sources
- Scan incoming archives for suspicious header values where declared sizes significantly exceed actual file sizes
- Deploy SentinelOne Singularity to detect and alert on abnormal process memory consumption patterns
Monitoring Recommendations
- Configure alerting for JVM OutOfMemoryError conditions in build environments
- Implement logging for all archive extraction operations with size validation metrics
- Monitor CI/CD pipeline stability metrics to detect repeated build failures that may indicate exploitation attempts
- Audit dependency management systems for recently modified or suspicious archive files
How to Mitigate CVE-2021-36374
Immediate Actions Required
- Upgrade Apache Ant to version 1.9.16 or later for the 1.9.x branch
- Upgrade Apache Ant to version 1.10.11 or later for the 1.10.x branch
- Review and update all Oracle products that bundle Apache Ant according to Oracle Critical Patch Updates
- Audit build pipelines to identify all locations where Apache Ant processes untrusted archive files
Patch Information
Apache has released patched versions that address this vulnerability. Organizations should upgrade to Apache Ant 1.9.16 or 1.10.11 and later. The patches implement proper validation of ZIP archive header fields to prevent memory exhaustion attacks.
For Oracle products affected by this vulnerability, consult the following Oracle Critical Patch Updates:
- Oracle CPU October 2021 Alert
- Oracle CPU January 2022 Alert
- Oracle CPU April 2022 Alert
- Oracle CPU July 2022 Alert
For additional details, refer to the Apache Ant Security Overview.
Workarounds
- Implement JVM memory limits using -Xmx to constrain maximum heap allocation and prevent full system memory exhaustion
- Validate all archive files before processing with independent tools that check for header/content size inconsistencies
- Isolate build processes in containers with resource limits to contain potential denial of service impacts
- Restrict build inputs to only trusted sources and implement checksum verification for all archive dependencies
# Configuration example - Limiting JVM heap for Ant builds
export ANT_OPTS="-Xmx1024m -Xms256m"
# Alternative: Configure in ant wrapper script
# This limits the maximum damage from memory exhaustion attacks
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
