When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-11771 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 4.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | None |
Availability Impact | Low |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | apache-commons-compress | Not affected |
Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-apache-commons-compress | Not affected |
Red Hat Software Collections for Red Hat Enterprise Linux | rh-maven35-apache-commons-compress | Affected |
Red Hat Satellite 6 | commons-compress | Under investigation |
Red Hat OpenStack Platform 9.0 | opendaylight | Will not fix |
Red Hat OpenStack Platform 8.0 (Liberty) | opendaylight | Will not fix |
Red Hat Mobile Application Platform On-Premise 4 | commons-compress | Under investigation |
Red Hat JBoss Operations Network 3 | commons-compress | Under investigation |
Red Hat JBoss Fuse Service Works 6 | commons-compress | Under investigation |
Red Hat JBoss Fuse 7 | commons-compress | Under investigation |
Red Hat JBoss Fuse 6 | commons-compress | Under investigation |
Red Hat JBoss Data Virtualization 6 | commons-compress | Under investigation |
Red Hat JBoss BRMS 6 | commons-compress | Under investigation |
Red Hat JBoss BPMS 6 | commons-compress | Under investigation |
Red Hat Gluster Storage 3 | commons-compress | Will not fix |
Red Hat Enterprise Linux 7 | apache-commons-compress | Not affected |