From 3eee09dd4c9fabc83234353ff7327f2bc4c36e03 Mon Sep 17 00:00:00 2001
From: Gary Gregory
Moderate: Denial of Service CVE-2023-42503
+ +Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.
+This issue affects Apache Commons Compress: from 1.22 before 1.24.0.
+Users are recommended to upgrade to version 1.24.0, which fixes the issue.
+A third party can create a malformed TAR file by manipulating file modification times headers, + which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.
+In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision + (issue # COMPRESS-612[1]). + The format for the PAX extended headers carrying this data consists of two numbers separated by a period[2], + indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and + “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.
+Parsing of these numbers uses the BigDecimal[3] class from the JDK which has a publicly known algorithmic complexity issue when doing + operations on large numbers, causing denial of service (see issue # JDK-6560193[4]). A third party can manipulate file time headers + in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) + within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a + denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098[5].
+Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile + classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.
+Low: Denial of Service CVE-2021-35515