1220070 – (CVE-2024-25710) VUL-0: CVE-2024-25710: apache-commons-compress: denial of service caused by an infinite loop for a corrupted DUMP file

Bug 1220070 (CVE-2024-25710) - VUL-0: CVE-2024-25710: apache-commons-compress: denial of service caused by an infinite loop for a corrupted DUMP file

Summary: VUL-0: CVE-2024-25710: apache-commons-compress: denial of service caused by a...

Status:	RESOLVED FIXED

Alias:	CVE-2024-25710

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/394505/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-25710:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-19 12:01 UTC by SMASH SMASH
Modified:	2024-03-05 16:57 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-19 12:01:04 UTC

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25710
https://www.cve.org/CVERecord?id=CVE-2024-25710
https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf
https://seclists.org/oss-sec/2024/q1/141

Patch:
https://github.com/apache/commons-compress/pull/442
https://github.com/apache/commons-compress/commit/8a9a5847c04ae39a1d45b365f8bb82022466067d

Comment 1 Andrea Mattiazzo 2024-02-19 12:01:52 UTC

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/apache-commons-compress  1.21
- SUSE:SLE-15-SP2:Update/apache-commons-compress        1.21
- openSUSE:Factory/apache-commons-compress              1.21

Comment 6 Maintenance Automation 2024-02-29 12:30:05 UTC

SUSE-SU-2024:0726-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1220068, 1220070
CVE References: CVE-2024-25710, CVE-2024-26308
Sources used:
SUSE Manager Server 4.3 Module 4.3 (src): apache-commons-compress-1.26.0-150200.3.16.1, apache-commons-codec-1.16.1-150200.3.9.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
SUSE Manager Proxy 4.3 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1
SUSE Manager Retail Branch Server 4.3 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1
SUSE Manager Server 4.3 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1
SUSE Enterprise Storage 7.1 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
openSUSE Leap 15.5 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-javadoc-plugin-bootstrap-3.6.0-150200.4.10.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, maven-resources-plugin-bootstrap-3.3.1-150200.3.12.1, apache-commons-compress-1.26.0-150200.3.16.1, maven-jar-plugin-bootstrap-3.3.0-150200.3.10.1, xmvn-tools-4.2.0-150200.3.18.1, sbt-bootstrap-0.13.18-150200.4.19.7, maven-assembly-plugin-3.6.0-150200.3.10.1, xmvn-parent-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, maven-reporting-impl-3.2.0-150200.4.6.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, sbt-0.13.18-150200.4.19.7, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1
Basesystem Module 15-SP5 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1
Development Tools Module 15-SP5 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, apache-commons-compress-1.26.0-150200.3.16.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1, xmvn-tools-4.2.0-150200.3.18.1
SUSE Package Hub 15 15-SP5 (src): sbt-bootstrap-0.13.18-150200.4.19.7, sbt-0.13.18-150200.4.19.7

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Fridrich Strba 2024-03-05 12:10:11 UTC

Fixed, please close.

Comment 8 Andrea Mattiazzo 2024-03-05 16:57:46 UTC

Closing.