Apache Commons Compress BZip2CompressorOutputStream() Sorting Algorithm Lets Remote or Local Users Deny Service
SecurityTracker Alert ID: 1027096|
SecurityTracker URL: http://securitytracker.com/id/1027096
(Links to External Site)
Date: May 24 2012
Denial of service via local system, Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 1.0 - 1.4|
A vulnerability was reported in Apache Commons Compress. A remote or local user can cause denial of service conditions.|
A user can supply specially crafted data to be processed by the BZip2CompressorOutputStream() function to cause the target application or service to consume excessive processing resources.
Apache Ant versions 1.5 through 1.8.3 are also affected.
The vendor was notified on April 12, 2012.
David Jorm of the Red Hat Security Response Team reported this vulnerability.
A remote or local user can cause target application or service to consume excessive processing resources.|
The vendor has issued a fix (1.4.1).|
The vendor's advisory is available at:
Vendor URL: commons.apache.org/compress/security.html (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability|
Content-Type: multipart/signed; boundary="=-=-=";
CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
The Apache Software Foundation
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3
The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs. A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.
Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4
This issue was discovered by David Jorm of the Red Hat Security Response
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
Content-Type: text/plain; charset="us-ascii"
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/