And which ofbiz versions use commons/bzip2? Might have to check catalina, jetty, etc.
On 05/23/2012 11:07 AM, Adrian Crum wrote: > > > -------- Original Message -------- > Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant > denial of service vulnerability > Date: Wed, 23 May 2012 16:00:48 +0200 > From: Stefan Bodewig <bode...@apache.org> > Reply-To: Commons Developers List <d...@commons.apache.org> > To: d...@commons.apache.org, u...@commons.apache.org, > d...@ant.apache.org, u...@ant.apache.org, annou...@apache.org, > secur...@apache.org, full-disclos...@lists.grok.org.uk, > bugt...@securityfocus.com, David Jorm <dj...@redhat.com> > > > > CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service > vulnerability > > Severity: Low > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Compress 1.0 to 1.4 > Apache Ant 1.5 to 1.8.3 > > Description: > The bzip2 compressing streams in Apache Commons Compress and Apache Ant > internally use sorting algorithms with unacceptable worst-case > performance on very repetitive inputs. A specially crafted input to > Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used > to make the process spend a very long time while using up all available > processing time effectively leading to a denial of service. > > Mitigation: > Commons Compress users should upgrade to 1.4.1 > Ant users should upgrade to 1.8.4 > > Credit: > This issue was discovered by David Jorm of the Red Hat Security Response > Team. > > References: > http://commons.apache.org/compress/security.html > http://ant.apache.org/security.html > > Stefan Bodewig > >