Security Bulletin: Denial of Service in Apache Commons Compress used by Apache Solr affect IBM Operations Analytics – Log Analysis (CVE-2024-25710, CVE-2024-26308)

There is a potential denial of service in Apache Commons Compress that is used by Apache Solr and IBM Operations Analytics – Log Analysis. This is caused by loop with unreachable exit condition and allocation of resources without limits.

## Vulnerability Details

**CVEID:**CVE-2024-25710
**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-26308
**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
Log Analysis| 1.3.7.0
Log Analysis| 1.3.7.1
Log Analysis| 1.3.7.2
Log Analysis| 1.3.8.0

## Remediation/Fixes

Principal Product and Version(s)| Fix details
—|—
IBM Operations Analytics – Log Analysis version 1.3.7.0, 1.3.7.1, 1.3.7.2 and 1.3.8.0| \- Upgrade existing Log Analysis to version 1.3.8 Fix Pack 1. Download and apply 1.3.8.1-TIV-IOALA-IF001 OR, \- Alternatively, upgrade to version 1.3.8 Fix Pack 2 or later.

## Workarounds and Mitigations

None

##