Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2428 CVE-2018-11771: Apache Commons Compress 1.7 to 1.17 denial of service vulnerability 20 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Commons Compress Publisher: The Apache Software Foundation Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-11771 - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2018-11771: Apache Commons Compress 1.7 to 1.17 denial of service vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.7 to 1.17 Description: When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package. Mitigation: Commons Compress users should upgrade to 1.18 or later Credit: This issue was discovered by Tobias Ospelt of modzero AG. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW3oyMmaOgq3Tt24GAQjg/BAArjYRsyhRBdCYV3/RT+w3GSMmQQEB2ER9 PQgCF1LO4kGhIkS5M8Ryb/aeKn059ZyTTYMfnLBp/Y6RlzwgNLiTQ5mAwyf0oJz6 +5W+JlQCG3GMYroN8zxYSvhxV3MkgYQmMXjc6inSURbWCu4d15uhEAbbXF04PHQ4 xPyHDXot2Sz7hsmrkyTKlzaaCjd9kSzsMio1Owna9fTJ/FPan0u8LYnridaWjxE8 0SmUI2v7T0RJZlR0o3B6IPbybhDBln+vzu8dT75KhMkR+l3DIv4Ec2MKmlQ5LfAS 0GvecjZWeq8yCyEepDRZQBj2Md4kfGhavsQXuI4Kdq+WgKaRbY0c/oADRSXSJ4ry //X25nbJZaU/Qd5ck8h76I0+MfcXpeSKdOfCAFF6YbBp07fmg89kEEI5kGh18t/A gsfrUr0OO9wskpYaTrgJDv31ki/zTLPNMZiThulMCczITK/EPF0ysD7SX4kueFUj g1MZu7Vxke1UdQ+ifLSHa1eKHVcvo234McCdOq65eFeVk7ngRFDJ4N7z37qoKqM2 S3wkQ/fV2lChB0EX4aPKo4hOQqtJxlpJdysn28IJRv0CV1VMIvdDq3YtoGeXv6pu 6qYDILYuUOXEiPqRBBBZmJ10KLrjWDuteiwQBY7IYoUUWt4ZfN0Ry85aAOEaKgbR R7dtpzOa/Mg= =QBaM -----END PGP SIGNATURE-----