CVE-2021-36374
Apache Ant ZIP, and ZIP based, archive denial of service vulerability
In short
Apache Ant crashes when processing specially crafted ZIP files (including JAR and office documents) because it tries to allocate huge amounts of memory, even for small files. This can disrupt build processes.
Technical detail
CWE-130 improper restriction of rendered UI layers causes unbounded memory allocation when parsing maliciously crafted ZIP archives or ZIP-derived formats. Affected versions prior to 1.9.16 and 1.10.11 lack proper size validation, leading to denial of service through out-of-memory errors during the build process.
Summary generated and translated by AI from the official description.
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Affected products
Apache Software Foundation · Apache AntWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://ant.apache.org/security.htmlhttps://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3Ehttps://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210819-0007/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html