CVE-2021-35516 in dependency org.apache.commons:commons-compress

[redcatbear]

Situation

Testcontainers depends on org.apache.commons:commons-compress version 1.20, which has a reported vulnerability CVE-2021-35516. Specially crafted archives can be used to allocate large amounts of memory, resulting in DoS.

Solution

Please update dependency:

<dependency>
  <groupId>org.apache.commons</groupId>
  <artifactId>commons-compress</artifactId>
  <version>1.21</version>
</dependency>

[kiview]

Thanks for bringing this to our attention @redcatbear.

Please note that this is not an attack vector for normal Testcontainer usage scenarios and is unlikely to have exploitable consequences.

[redcatbear]

Thanks for recognizing the issue. I agree that the use case for an exploit is not the typical testcontainer scenario. Still it is a good idea to keep ones software as clean as possible and the fix in this case is luckily trivial.

[moritzluedtke]

Just as an addition:
CVE-2021-35517, CVE-2021-35515 and CVE-2021-36090 are also reported on commons-compress-1.20.jar when running the OWASP check and using Testcontainers 1.16.0.

@kiview Do you have an estimate on when the dependency bump will be released?

[moritzluedtke]

This issue is now over 3 month old. Any update on when this will be addressed? @kiview

[moritzluedtke]

This seems to be fixed (at least in 1.16.2). It would have been nice to include this issue in the release notes.

[rnorth]

@moritzluedtke sorry, looks like we missed this in the release notes. Will add now.

[moritzluedtke]

@rnorth Thank you!

[eddumelendez]

Closing due to it was fixed last year.