You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Stefan Bodewig <bo...@apache.org> on 2012/05/23 16:00:48 UTC
[CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3
Description:
The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs. A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.
Mitigation:
Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4
Credit:
This issue was discovered by David Jorm of the Red Hat Security Response
Team.
References:
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html
Stefan Bodewig
Re: Fwd: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial
of service vulnerability
Posted by Adam Heath <do...@brainfood.com>.
And which ofbiz versions use commons/bzip2? Might have to check
catalina, jetty, etc.
On 05/23/2012 11:07 AM, Adrian Crum wrote:
>
>
> -------- Original Message --------
> Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant
> denial of service vulnerability
> Date: Wed, 23 May 2012 16:00:48 +0200
> From: Stefan Bodewig <bo...@apache.org>
> Reply-To: Commons Developers List <de...@commons.apache.org>
> To: dev@commons.apache.org, user@commons.apache.org,
> dev@ant.apache.org, user@ant.apache.org, announce@apache.org,
> security@apache.org, full-disclosure@lists.grok.org.uk,
> bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
>
>
>
> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
> vulnerability
>
> Severity: Low
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Commons Compress 1.0 to 1.4
> Apache Ant 1.5 to 1.8.3
>
> Description:
> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
> internally use sorting algorithms with unacceptable worst-case
> performance on very repetitive inputs. A specially crafted input to
> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
> to make the process spend a very long time while using up all available
> processing time effectively leading to a denial of service.
>
> Mitigation:
> Commons Compress users should upgrade to 1.4.1
> Ant users should upgrade to 1.8.4
>
> Credit:
> This issue was discovered by David Jorm of the Red Hat Security Response
> Team.
>
> References:
> http://commons.apache.org/compress/security.html
> http://ant.apache.org/security.html
>
> Stefan Bodewig
>
>
Re: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.
I did the upgrade in rev. 1342326; tests pass and the system seems to work properly (but I did a cursory review of applications).
Please let me know if you see/experience any issues and I will fix them.
Regards,
Jacopo
On May 23, 2012, at 6:12 PM, Jacopo Cappellato wrote:
> Yeah
>
> I got it earlier today too and I was in fact working on the upgrade
>
> Thanks
>
> Jacopo
>
> On May 23, 2012, at 6:07 PM, Adrian Crum wrote:
>
>>
>>
>> -------- Original Message --------
>> Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
>> Date: Wed, 23 May 2012 16:00:48 +0200
>> From: Stefan Bodewig <bo...@apache.org>
>> Reply-To: Commons Developers List <de...@commons.apache.org>
>> To: dev@commons.apache.org, user@commons.apache.org, dev@ant.apache.org, user@ant.apache.org, announce@apache.org, security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
>>
>> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
>> vulnerability
>>
>> Severity: Low
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Commons Compress 1.0 to 1.4
>> Apache Ant 1.5 to 1.8.3
>>
>> Description:
>> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
>> internally use sorting algorithms with unacceptable worst-case
>> performance on very repetitive inputs. A specially crafted input to
>> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
>> to make the process spend a very long time while using up all available
>> processing time effectively leading to a denial of service.
>>
>> Mitigation:
>> Commons Compress users should upgrade to 1.4.1
>> Ant users should upgrade to 1.8.4
>>
>> Credit:
>> This issue was discovered by David Jorm of the Red Hat Security Response
>> Team.
>>
>> References:
>>
>> http://commons.apache.org/compress/security.html
>> http://ant.apache.org/security.html
>>
>>
>> Stefan Bodewig
>>
>>
>> <Attached Message Part.txt><Attached Message Part>
>
Re: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.
Yeah
I got it earlier today too and I was in fact working on the upgrade
Thanks
Jacopo
On May 23, 2012, at 6:07 PM, Adrian Crum wrote:
>
>
> -------- Original Message --------
> Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
> Date: Wed, 23 May 2012 16:00:48 +0200
> From: Stefan Bodewig <bo...@apache.org>
> Reply-To: Commons Developers List <de...@commons.apache.org>
> To: dev@commons.apache.org, user@commons.apache.org, dev@ant.apache.org, user@ant.apache.org, announce@apache.org, security@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
>
> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
> vulnerability
>
> Severity: Low
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Commons Compress 1.0 to 1.4
> Apache Ant 1.5 to 1.8.3
>
> Description:
> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
> internally use sorting algorithms with unacceptable worst-case
> performance on very repetitive inputs. A specially crafted input to
> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
> to make the process spend a very long time while using up all available
> processing time effectively leading to a denial of service.
>
> Mitigation:
> Commons Compress users should upgrade to 1.4.1
> Ant users should upgrade to 1.8.4
>
> Credit:
> This issue was discovered by David Jorm of the Red Hat Security Response
> Team.
>
> References:
>
> http://commons.apache.org/compress/security.html
> http://ant.apache.org/security.html
>
>
> Stefan Bodewig
>
>
> <Attached Message Part.txt><Attached Message Part>
Fwd: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial
of service vulnerability
Posted by Adrian Crum <ad...@sandglass-software.com>.
-------- Original Message --------
Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial
of service vulnerability
Date: Wed, 23 May 2012 16:00:48 +0200
From: Stefan Bodewig <bo...@apache.org>
Reply-To: Commons Developers List <de...@commons.apache.org>
To: dev@commons.apache.org, user@commons.apache.org,
dev@ant.apache.org, user@ant.apache.org, announce@apache.org,
security@apache.org, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com, David Jorm <dj...@redhat.com>
CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
vulnerability
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3
Description:
The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs. A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's<bzip2> task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.
Mitigation:
Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4
Credit:
This issue was discovered by David Jorm of the Red Hat Security Response
Team.
References:
http://commons.apache.org/compress/security.html
http://ant.apache.org/security.html
Stefan Bodewig