From 3eee09dd4c9fabc83234353ff7327f2bc4c36e03 Mon Sep 17 00:00:00 2001 From: Gary Gregory Date: Wed, 13 Sep 2023 15:49:27 -0400 Subject: [PATCH] Update site for CVE-2023-42503 --- src/site/xdoc/security.xml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml index f3efae6a7c9..ad853cbcb10 100644 --- a/src/site/xdoc/security.xml +++ b/src/site/xdoc/security.xml @@ -54,6 +54,36 @@ the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

+ +

Moderate: Denial of Service CVE-2023-42503

+ +

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.

+

This issue affects Apache Commons Compress: from 1.22 before 1.24.0.

+

Users are recommended to upgrade to version 1.24.0, which fixes the issue.

+

A third party can create a malformed TAR file by manipulating file modification times headers, + which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.

+

In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision + (issue # COMPRESS-612[1]). + The format for the PAX extended headers carrying this data consists of two numbers separated by a period[2], + indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and + “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.

+

Parsing of these numbers uses the BigDecimal[3] class from the JDK which has a publicly known algorithmic complexity issue when doing + operations on large numbers, causing denial of service (see issue # JDK-6560193[4]). A third party can manipulate file time headers + in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) + within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a + denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098[5].

+ +

Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile + classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.

+
+

Low: Denial of Service CVE-2021-35515