#VU87849 Infinite loop in xz - CVE-2021-29482

Cybersecurity Help s.r.o.

Published: 2024-03-27

Vulnerability identifier: #VU87849

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-29482

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
xz
Universal components / Libraries / Programming Languages & Components

Vendor: ulikunitz

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due the function readUvarint used to read the xz container format may not terminate a loop providing malicious input. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

xz: 0.1 - 0.5.7

External links
https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in Red Hat OpenStack 16.2 packages

Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.0

Multiple vulnerabilities in OpenShift Virtualization 4.8