{"id":1957,"date":"2025-04-28T06:33:56","date_gmt":"2025-04-28T06:33:56","guid":{"rendered":"http:\/\/localhost\/?p=1957"},"modified":"2025-04-28T06:33:56","modified_gmt":"2025-04-28T06:33:56","slug":"security-bulletin-denial-of-service-in-apache-commons-compress-used-by-apache-solr-affect-ibm-operat","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=1957","title":{"rendered":"Security Bulletin: Denial of Service in Apache Commons Compress used by Apache Solr affect IBM Operations Analytics – Log Analysis (CVE-2024-25710, CVE-2024-26308)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nSecurity Bulletin: Denial of Service in Apache Commons Compress used by Apache Solr affect IBM Operations Analytics – Log Analysis (CVE-2024-25710, CVE-2024-26308)<\/td>\n<\/tr>\n
Type<\/th>\nibm<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-28T09:21:24<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-28T10:56:35<\/td>\n<\/tr>\n
CVSS Score<\/th>\n8.1 (HIGH)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nLOCAL<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nHIGH<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2024-25710, CVE-2024-26308<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nsoftware<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## Summary<\/p>\n

There is a potential denial of service in Apache Commons Compress that is used by Apache Solr and IBM Operations Analytics – Log Analysis. This is caused by loop with unreachable exit condition and allocation of resources without limits.<\/p>\n

## Vulnerability Details<\/p>\n

**CVEID:**CVE-2024-25710
\n**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
\n**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
\n**CVSS Source:** IBM X-Force
\n**CVSS Base score:** 5.5
\n**CVSS Vector:**(CVSS:3.0\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:N\/A:H) <\/p>\n

**CVEID:**CVE-2024-26308
\n**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
\n**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
\n**CVSS Source:** IBM X-Force
\n**CVSS Base score:** 5.5
\n**CVSS Vector:**(CVSS:3.0\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:N\/A:H)<\/p>\n

## Affected Products and Versions<\/p>\n

Affected Product(s)| Version(s)
\n—|—
\nLog Analysis| 1.3.7.0
\nLog Analysis| 1.3.7.1
\nLog Analysis| 1.3.7.2
\nLog Analysis| 1.3.8.0 <\/p>\n

## Remediation\/Fixes<\/p>\n

Principal Product and Version(s)| Fix details
\n—|—
\nIBM Operations Analytics – Log Analysis version 1.3.7.0, 1.3.7.1, 1.3.7.2 and 1.3.8.0| \\- Upgrade existing Log Analysis to version 1.3.8 Fix Pack 1. Download and apply 1.3.8.1-TIV-IOALA-IF001 OR, \\- Alternatively, upgrade to version 1.3.8 Fix Pack 2 or later. <\/p>\n

## Workarounds and Mitigations<\/p>\n

None<\/p>\n

##\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n8.1<\/td>\n<\/tr>\n
Severity<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n