CVE-2021-36373 - Vulnerability Details

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Ant
Oracle	Agile Plm Banking Trade Finance Banking Treasury Management Communications Cloud Native Core Automated Test Suite Communications Cloud Native Core Binding Support Function Communications Order And Service Management Communications Unified Inventory Management Enterprise Repository Financial Services Analytical Applications Infrastructure Insurance Policy Administration Primavera Gateway Primavera Unifier Real-time Decision Server Retail Advanced Inventory Planning Retail Back Office Retail Bulk Data Integration Retail Central Office Retail Eftlink Retail Extract Transform And Load Retail Financial Integration Retail Integration Bus Retail Invoice Matching Retail Merchandising System Retail Point-of-service Retail Predictive Application Server Retail Service Backbone Retail Store Inventory Management Retail Xstore Point Of Service Timesten In-memory Database Utilities Framework Utilities Testing Accelerator
Redhat	Jboss Enterprise Bpms Platform

Configuration 1 [-]

OR	cpe:2.3:a:apache:ant::::::::
	cpe:2.3:a:apache:ant::::::::

Configuration 2 [-]

OR	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:banking_trade_finance:14.5:::::::*
	cpe:2.3:a:oracle:banking_treasury_management:14.5:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:::::::*
	cpe:2.3:a:oracle:communications_order_and_service_management:7.3:::::::*
	cpe:2.3:a:oracle:communications_order_and_service_management:7.4:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:::::::*
	cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:insurance_policy_administration::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:::::::*
	cpe:2.3:a:oracle:real-time_decision_server:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:::::::*
	cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:::::::*
	cpe:2.3:a:oracle:retail_advanced_inventory_planning:16.0:::::::*
	cpe:2.3:a:oracle:retail_back_office:14.0:::::::*
	cpe:2.3:a:oracle:retail_back_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_central_office:14.0:::::::*
	cpe:2.3:a:oracle:retail_central_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_eftlink:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_eftlink:20.0.1:::::::*
	cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:15.0.4.0:::::::*
	cpe:2.3:a:oracle:retail_financial_integration:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:15.0.4.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:19.0.1.0:::::::*
	cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
	cpe:2.3:a:oracle:retail_point-of-service:14.0:::::::*
	cpe:2.3:a:oracle:retail_point-of-service:14.1:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:::::::*
	cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:15.0.4.0:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_service_backbone:19.0.1.0:::::::*
	cpe:2.3:a:oracle:retail_store_inventory_management:14.1:::::::*
	cpe:2.3:a:oracle:retail_store_inventory_management:15.0:::::::*
	cpe:2.3:a:oracle:retail_store_inventory_management:16.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
	cpe:2.3:a:oracle:timesten_in-memory_database::::::::
cpe:2.3:a:oracle:utilities_framework::::::::
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::*

Package	CPE	Advisory	Released Date
RHPAM 7.13.0 async
ant	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2022:5903	2022-08-04T00:00:00Z

References

Link	Providers
https://ant.apache.org/security.html
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2021-36373
https://security.netapp.com/advisory/ntap-20210819-0007/
https://www.cve.org/CVERecord?id=CVE-2021-36373
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-07-14T06:20:11

Updated: 2024-08-04T00:54:51.488Z

Reserved: 2021-07-12T00:00:00

Link: CVE-2021-36373

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-07-14T07:15:08.237

Modified: 2024-11-21T06:13:37.863

Link: CVE-2021-36373

Redhat

Severity : Low

Publid Date: 2021-07-13T00:00:00Z

Links: CVE-2021-36373 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object