Mageia: 2019-0001 Critical: Apache Commons Compress DoS Attack Insight

mageia

January 5, 2019

A flaw was found in Apache Commons Compress versions 1.11 to 1.15

Summary

A flaw was found in Apache Commons Compress versions 1.11 to 1.15. A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package (CVE-2018-1324).
Apache Commons Compress versions 1.7 to 1.17 are vulnerable to a denial of service attack via crafted ZIP archive. When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package (CVE-2018-11771).

References

- https://bugs.mageia.org/show_bug.cgi?id=22787

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UJ7GKBUCVEHQVGOXIOT6EWCRVDZJMHGK/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLKWBUZ7KVAJV6VZAY2UYW5JIEVMRT2R/

- https://www.cve.org/CVERecord?id=CVE-2018-1324

- https://www.cve.org/CVERecord?id=CVE-2018-11771

Topics Covered

security advisory denial of service security update infinite loop zip file Mageia Apache Commons Compress

Resolution

SRPMS

- 6/core/apache-commons-compress-1.12-1.2.mga6

Severity

critical

Lowest

Low

Medium

High

Critical

Publication date: 05 Jan 2019

URL: https://advisories.mageia.org/MGASA-2019-0001.html

Type: security

CVE: CVE-2018-1324, CVE-2018-11771

Topics Covered

security advisory denial of service security update infinite loop zip file Mageia Apache Commons Compress

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia: 2019-0001 Critical: Apache Commons Compress DoS Attack Insight

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia: 2019-0001 Critical: Apache Commons Compress DoS Attack Insight

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!