====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN355
_____________________________________________________________________

DATE                : 15/07/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Ant versions prior to
                                    1.9.16, 1.10.11.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202107.mbox/%3c17c1d32d-1d14-c809-2caf-01d991753125@apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202107.mbox/%3ccd618860-3136-070e-a2ab-dac159238c07@apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202107.mbox/%3c87mtqq167u.fsf@v45346.1blu.de%3e
_____________________________________________________________________


CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability

Description:

When reading a specially crafted TAR archive an Apache Ant build can be
made to allocate large amounts of memory that
finally leads to an out of memory error, even for small inputs. This can
be used to disrupt builds using Apache Ant.


Mitigation:

Apache Ant 1.9.x users should upgrade to 1.9.16 or later.
Apache Ant 1.10.x users should upgrade to 1.10.11 or later.


Credit:

This issue is similar to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in
Apache Commons
Compress which has been detected by OSS Fuzz.


References:

https://ant.apache.org/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517

________________________________________________________________

CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service
vulerability

Description:

When reading a specially crafted ZIP archive, or a derived formats,
an Apache Ant build can be made to allocate large amounts of memory
that leads to an out of memory error, even for small inputs. This can
be used to disrupt builds using Apache Ant.

Commonly used derived formats from ZIP archives are for instance JAR
files and many office files.


Mitigation:

Apache Ant 1.9.x users should upgrade to 1.9.16 or later.
Apache Ant 1.10.x users should upgrade to 1.10.11 or later.


Credit:

This issue is similar to
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present
in Apache Commons Compress which has been detected by OSS Fuzz.


References:

https://ant.apache.org/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090

_____________________________________________________________________

The Apache Ant Team is pleased to announce the releases of Apache Ant
1.9.16 and 1.10.11.

Apache Ant is a Java library and command-line tool that helps building
software.

The Apache Ant team currently maintains two lines of development. The
1.9.x releases require Java5 at runtime and 1.10.x requires Java8 at
runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases
are mostly bug fix releases while additional new features are developed
for 1.10.x. We recommend using 1.10.11 unless you are required to use
versions of Java prior to Java8 during the build process.

Ant 1.10.11 contains a superset of 1.9.16 - with the exception of a few
tasks and features that no longer work with Java8 anyway (like the apt
task).

Both releases address potential denial of service vulnerabilities, see
the upcoming CVE announcement or https://ant.apache.org/security.html
for details.

Source and binary distributions are available for download from the
Apache Ant download site:

https://ant.apache.org/bindownload.cgi

When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.

Changes in 1.10.11 include:
==========================

Fixed bugs:
- -----------

 * a race condition could lead to NullPointerExceptions when running
   tasks in parallel.
   Bugzilla Report 65316

 * fixed potential OutOfMemory errors when reading broken archives
   using the tar or zip formats or formats derived from zip.

Other changes:
- --------------

 *
org.apache.tools.ant.taskdefs.optional.junitlauncher.confined.JUnitLauncherTask
now
   has a new protected createExecuteWatchdog() method for allowing it to
be overriden.
   Github Pull Request #147

 * Upgraded AntUnit to 1.4.1.

Changes in 1.9.16 include:
==========================

Other changes:
- --------------

 * Upgraded AntUnit to 1.4.1.

Fixed bugs:
- -----------

 * Fixes a bug where the ant-testutil-sources.jar that gets published to
Maven
   central repository didn't contain any source files.
   Bugzilla Report 65110

 * fixed potential OutOfMemory errors when reading broken archives
   using the tar or zip formats or formats derived from zip.

For complete information on Ant, including instructions on how to submit
bug reports, patches, or suggestions for improvement, see the Apache Ant
website:

https://ant.apache.org/

Stefan Bodewig, on behalf of the Apache Ant community

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================