You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@commons.apache.org by Stefan Bodewig <bo...@apache.org> on 2012/05/23 16:00:48 UTC

[CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
               vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3

Description:
The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs.  A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.

Mitigation:
Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4

Credit:
This issue was discovered by David Jorm of the Red Hat Security Response
Team.

References:
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html

Stefan Bodewig

Re: Fwd: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

Posted by Adam Heath <do...@brainfood.com>.

And which ofbiz versions use commons/bzip2?  Might have to check
catalina, jetty, etc.

On 05/23/2012 11:07 AM, Adrian Crum wrote:
> 
> 
> -------- Original Message --------
> Subject: 	[CVE-2012-2098] Apache Commons Compress and Apache Ant
> denial of service vulnerability
> Date: 	Wed, 23 May 2012 16:00:48 +0200
> From: 	Stefan Bodewig <bo...@apache.org>
> Reply-To: 	Commons Developers List <de...@commons.apache.org>
> To: 	dev@commons.apache.org, user@commons.apache.org,
> dev@ant.apache.org, user@ant.apache.org, announce@apache.org,
> security@apache.org, full-disclosure@lists.grok.org.uk,
> bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
> 
> 
> 
> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
>                vulnerability
> 
> Severity: Low
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Apache Commons Compress 1.0 to 1.4
> Apache Ant 1.5 to 1.8.3
> 
> Description:
> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
> internally use sorting algorithms with unacceptable worst-case
> performance on very repetitive inputs.  A specially crafted input to
> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
> to make the process spend a very long time while using up all available
> processing time effectively leading to a denial of service.
> 
> Mitigation:
> Commons Compress users should upgrade to 1.4.1
> Ant users should upgrade to 1.8.4
> 
> Credit:
> This issue was discovered by David Jorm of the Red Hat Security Response
> Team.
> 
> References:
> http://commons.apache.org/compress/security.html
> http://ant.apache.org/security.html
> 
> Stefan Bodewig
> 
>

Re: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.

I did the upgrade in rev. 1342326; tests pass and the system seems to work properly (but I did a cursory review of applications).
Please let me know if you see/experience any issues and I will fix them.

Regards,

Jacopo

On May 23, 2012, at 6:12 PM, Jacopo Cappellato wrote:

> Yeah
> 
> I got it earlier today too and I was in fact working on the upgrade
> 
> Thanks
> 
> Jacopo
> 
> On May 23, 2012, at 6:07 PM, Adrian Crum wrote:
> 
>> 
>> 
>> -------- Original Message --------
>> Subject:	[CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
>> Date:	Wed, 23 May 2012 16:00:48 +0200
>> From:	Stefan Bodewig <bo...@apache.org>
>> Reply-To:	Commons Developers List <de...@commons.apache.org>
>> To:	dev@commons.apache.org, user@commons.apache.org, dev@ant.apache.org, user@ant.apache.org, announce@apache.org, security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
>> 
>> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
>>               vulnerability
>> 
>> Severity: Low
>> 
>> Vendor:
>> The Apache Software Foundation
>> 
>> Versions Affected:
>> Apache Commons Compress 1.0 to 1.4
>> Apache Ant 1.5 to 1.8.3
>> 
>> Description:
>> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
>> internally use sorting algorithms with unacceptable worst-case
>> performance on very repetitive inputs.  A specially crafted input to
>> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
>> to make the process spend a very long time while using up all available
>> processing time effectively leading to a denial of service.
>> 
>> Mitigation:
>> Commons Compress users should upgrade to 1.4.1
>> Ant users should upgrade to 1.8.4
>> 
>> Credit:
>> This issue was discovered by David Jorm of the Red Hat Security Response
>> Team.
>> 
>> References:
>> 
>> http://commons.apache.org/compress/security.html
>> http://ant.apache.org/security.html
>> 
>> 
>> Stefan Bodewig
>> 
>> 
>> <Attached Message Part.txt><Attached Message Part>
>

Re: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.

Yeah

I got it earlier today too and I was in fact working on the upgrade

Thanks

Jacopo

On May 23, 2012, at 6:07 PM, Adrian Crum wrote:

> 
> 
> -------- Original Message --------
> Subject:	[CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
> Date:	Wed, 23 May 2012 16:00:48 +0200
> From:	Stefan Bodewig <bo...@apache.org>
> Reply-To:	Commons Developers List <de...@commons.apache.org>
> To:	dev@commons.apache.org, user@commons.apache.org, dev@ant.apache.org, user@ant.apache.org, announce@apache.org, security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
> 
> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
>                vulnerability
> 
> Severity: Low
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Apache Commons Compress 1.0 to 1.4
> Apache Ant 1.5 to 1.8.3
> 
> Description:
> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
> internally use sorting algorithms with unacceptable worst-case
> performance on very repetitive inputs.  A specially crafted input to
> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
> to make the process spend a very long time while using up all available
> processing time effectively leading to a denial of service.
> 
> Mitigation:
> Commons Compress users should upgrade to 1.4.1
> Ant users should upgrade to 1.8.4
> 
> Credit:
> This issue was discovered by David Jorm of the Red Hat Security Response
> Team.
> 
> References:
> 
> http://commons.apache.org/compress/security.html
> http://ant.apache.org/security.html
> 
> 
> Stefan Bodewig
> 
> 
> <Attached Message Part.txt><Attached Message Part>

Fwd: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

Posted by Adrian Crum <ad...@sandglass-software.com>.

-------- Original Message --------
Subject: 	[CVE-2012-2098] Apache Commons Compress and Apache Ant denial 
of service vulnerability
Date: 	Wed, 23 May 2012 16:00:48 +0200
From: 	Stefan Bodewig <bo...@apache.org>
Reply-To: 	Commons Developers List <de...@commons.apache.org>
To: 	dev@commons.apache.org, user@commons.apache.org, 
dev@ant.apache.org, user@ant.apache.org, announce@apache.org, 
security@apache.org, full-disclosure@lists.grok.org.uk, 
bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>

CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
                vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3

Description:
The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs.  A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's<bzip2>  task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.

Mitigation:
Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4

Credit:
This issue was discovered by David Jorm of the Red Hat Security Response
Team.

References:
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html

Stefan Bodewig