-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3397
  Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress
  affect Liberty for Java for IBM Cloud (CVE-2021-33517, CVE-2021-36090)
                              14 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Liberty for Java
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-36090 CVE-2021-35517 CVE-2021-33517

Reference:         ESB-2021.3130
                   ESB-2021.2651

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6498141

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple Vulnerabilities in Apache Commons Compress affect Liberty for Java for
IBM Cloud (CVE-2021-33517, CVE-2021-36090)

Document Information

Document number    : 6498141
Modified date      : 12 October 2021
Product            : Liberty for Java
Software version   : All
Operating system(s): Linux

Summary

Multiple Vulnerabilities in Apache Commons Compress affect Liberty for Java for
IBM Cloud.

Vulnerability Details

CVEID: CVE-2021-35517
DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service,
caused by an out of memory error when allocating large amounts of memory. By
persuading a victim to open a specially-crafted TAR archive, a remote attacker
could exploit this vulnerability to cause a denial of service condition against
services that use Compress' tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2021-36090
DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service,
caused by an out-of-memory error when large amounts of memory are allocated. By
reading a specially-crafted ZIP archive, a remote attacker could exploit this
vulnerability to cause a denial of service condition against services that use
Compress' zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

These vulnerabilities affect all versions of Liberty for Java in IBM Cloud up
to and including v3.61.


Remediation/Fixes

To upgrade to Liberty for Java v3.62-20210922-1852 or higher, you must re-stage
or re-push your application

To find the current version of Liberty for Java in IBM Cloud being used, from
the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c cat "staging_info.yml"

Look for the following lines:

{"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-21.0.0_9,
buildpack-v3.62-20210922-1852, ibmjdk-1.8.0_sr6fp36-20210824, env,
spring-auto-reconfiguration-1.12.0_RELEASE)","start_command":".liberty/
initial_startup.rb"}

To re-stage your application using the command-line Cloud Foundry client, use
the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use
the following command:

cf push <appname>

Workarounds and Mitigations

None

Change History

12 Oct 2021: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYWeIG+NLKJtyKPYoAQh5xxAAmAVVWaDZ7lm15qK2JKrCG7l4u5SpqNon
ruAp33YPD2U9Y9hk9KBuER4dMOGh6W3gQB8MXGVh3e9mE5iUyIuorbAJC7nm7pCd
pVdL244N0k8K+3ZMBSj8AdK3A9ZnmpWZ0g2V7jAYDNYVLE0H0W7ZrPOEj8iDGvK9
VYLqNu+gmw9ecXT8ZOkH/R1iO5AApfSK1FJXOOo5ug9WX+M3tT8Dj9AEHxAj5cqG
+MBCDuqJ6xVka+bNjTdCcn/7btzmMTCXCUOTSHLnXaUCRMBI1VGKQVkakvujT9S1
1YNffmNYzd/U1GDv8dd2T4wLHYWACFS35cw1Obdk/uSaeAEdUmTNPMZX9xURxNDi
6Fx3jxkXAYq0gAWMk8QsUN0/ZZhqD71Hc6GO0Xmejg6zj350V03QhB38RIUo5aI5
TKQfrcZY8G5V8tc618QdeQG7vtQDXGdJqntmFV11RgxgCJueNtxJGO7p/FUJWydY
HUEZNmNSnmKoMWGrSwkH8sxs/gnCQznHaNn82p/xPL9JJptDYMEqs5j5vImaCydM
5KT0uehgZKbOUBBoCcfCTexa1OLJPfEbhgDf+gc2wPufWH0g17stPahGyTy6e1tt
lcDBaJtYR2TWIlKzGbLssLcORK+7bnF7gLh6Ek42DKN74Vtd+IvOJFdNWqWq/Bu6
uZoyk7TCkWs=
=wOAl
-----END PGP SIGNATURE-----