Description

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Related CPE's

a

apache

ant

2

a

oracle

agile_plm

9.3.6

Vulnerable

a

oracle

banking_trade_finance

14.5

Vulnerable

a

oracle

banking_treasury_management

14.5

Vulnerable

a

oracle

communications_cloud_native_core_automated_test_suite

1.9.0

Vulnerable

a

oracle

communications_cloud_native_core_binding_support_function

1.11.0

Vulnerable

a

oracle

communications_order_and_service_management

2

a

oracle

communications_unified_inventory_management

5

a

oracle

enterprise_repository

11.1.1.7.0

Vulnerable

a

oracle

financial_services_analytical_applications_infrastructure

Vulnerable

a

oracle

insurance_policy_administration

Vulnerable

a

oracle

primavera_gateway

4

a

oracle

primavera_unifier

4

a

oracle

real-time_decision_server

2

a

oracle

retail_advanced_inventory_planning

3

a

oracle

retail_back_office

2

a

oracle

retail_bulk_data_integration

2

a

oracle

retail_central_office

2

a

oracle

retail_eftlink

2

a

oracle

retail_extract_transform_and_load

13.2.8

Vulnerable

a

oracle

retail_financial_integration

3

a

oracle

retail_integration_bus

4

a

oracle

retail_invoice_matching

16.0.3

Vulnerable

a

oracle

retail_merchandising_system

19.0.1

Vulnerable

a

oracle

retail_point-of-service

2

a

oracle

retail_predictive_application_server

3

a

oracle

retail_service_backbone

4

a

oracle

retail_store_inventory_management

3

a

oracle

retail_xstore_point_of_service

5

a

oracle

timesten_in-memory_database

Vulnerable

a

oracle

utilities_framework

6

a

oracle

utilities_testing_accelerator

6.0.0.1.1

Vulnerable

References

https://ant.apache.org/security.html

PatchVendor Advisory

https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E

https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E

https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E

Mailing ListVendor Advisory

https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E

https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E

https://security.netapp.com/advisory/ntap-20210819-0007/

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Not Applicable

https://www.oracle.com/security-alerts/cpuoct2021.html

PatchThird Party Advisory

Weaknesses

[email protected]

Primary
NVD-CWE-Other

[email protected]

Secondary
CWE-130

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-07-14T07:15:08.237

3 years ago

Last modified

2023-11-07T03:36:45.367

1 year ago