CVE-2021-36373
Apache Ant TAR archive denial of service vulnerability
In short
Apache Ant can crash when processing a specially crafted TAR file by consuming excessive memory, even if the file is small. This allows attackers to disrupt build processes.
Technical detail
A malicious TAR archive triggers unbounded memory allocation in Apache Ant's TAR reader, leading to out-of-memory conditions. The attack requires the victim to process a crafted TAR file during a build operation, resulting in denial of service through resource exhaustion.
Summary generated and translated by AI from the official description.
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Affected products
Apache Software Foundation · Apache AntWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://ant.apache.org/security.htmlhttps://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3Ehttps://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210819-0007/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html