Apache Commons Compress BZip2CompressorOutputStream() Sorting Algorithm Lets Remote or Local Users Deny Service
|
|
SecurityTracker Alert ID: 1027096 |
|
SecurityTracker URL: http://securitytracker.com/id/1027096
|
|
CVE Reference:
CVE-2012-2098
(Links to External Site)
|
Date: May 24 2012
|
Impact:
Denial of service via local system, Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.0 - 1.4
|
Description:
A vulnerability was reported in Apache Commons Compress. A remote or local user can cause denial of service conditions.
A user can supply specially crafted data to be processed by the BZip2CompressorOutputStream() function to cause the target application or service to consume excessive processing resources.
Apache Ant versions 1.5 through 1.8.3 are also affected.
The vendor was notified on April 12, 2012.
David Jorm of the Red Hat Security Response Team reported this vulnerability.
|
Impact:
A remote or local user can cause target application or service to consume excessive processing resources.
|
Solution:
The vendor has issued a fix (1.4.1).
The vendor's advisory is available at:
http://commons.apache.org/compress/security.html
|
Vendor URL: commons.apache.org/compress/security.html (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 23 May 2012 16:00:48 +0200
Subject: [Full-disclosure] [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
|
--===============1585395383==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
--=-=-=
CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3
Description:
The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs. A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.
Mitigation:
Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4
Credit:
This issue was discovered by David Jorm of the Red Hat Security Response
Team.
References:
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html
Stefan Bodewig
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAk+87ZAACgkQohFa4V9ri3KUigCggLhgH8yc6z3vgZGn7wxo48no
jsgAoICGrzAkcFy2o8tHiARnrYF85SKI
=rlJO
-----END PGP SIGNATURE-----
--=-=-=--
--===============1585395383==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1585395383==--
|
|
