csaf_redhat - rhsa-2018

rhsa-2018_0316

Vulnerability from csaf_redhat

Published

2018-02-13 17:19

Modified

2024-11-14 21:48

Summary

Red Hat Security Advisory: httpd24-apr security update

Notes

Topic

An update for httpd24-apr is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es): * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for httpd24-apr is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.\n\nSecurity Fix(es):\n\n* An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2018:0316",
        "url": "https://access.redhat.com/errata/RHSA-2018:0316"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1506523",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1506523"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_0316.json"
      }
    ],
    "title": "Red Hat Security Advisory: httpd24-apr security update",
    "tracking": {
      "current_release_date": "2024-11-14T21:48:09+00:00",
      "generator": {
        "date": "2024-11-14T21:48:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2018:0316",
      "initial_release_date": "2018-02-13T17:19:19+00:00",
      "revision_history": [
        {
          "date": "2018-02-13T17:19:19+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-02-13T17:19:19+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-14T21:48:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
                "product": {
                  "name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
                  "product_id": "6Server-RHSCL-3.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
                "product": {
                  "name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
                  "product_id": "6Workstation-RHSCL-3.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
                "product": {
                  "name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
                  "product_id": "6Server-RHSCL-3.0-6.7.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Software Collections"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "httpd24-apr-0:1.5.1-1.el6.1.x86_64",
                "product": {
                  "name": "httpd24-apr-0:1.5.1-1.el6.1.x86_64",
                  "product_id": "httpd24-apr-0:1.5.1-1.el6.1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-apr@1.5.1-1.el6.1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
                "product": {
                  "name": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
                  "product_id": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-apr-devel@1.5.1-1.el6.1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
                "product": {
                  "name": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
                  "product_id": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-apr-debuginfo@1.5.1-1.el6.1?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "httpd24-apr-0:1.5.1-1.el6.1.src",
                "product": {
                  "name": "httpd24-apr-0:1.5.1-1.el6.1.src",
                  "product_id": "httpd24-apr-0:1.5.1-1.el6.1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-apr@1.5.1-1.el6.1?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-0:1.5.1-1.el6.1.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
          "product_id": "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.src"
        },
        "product_reference": "httpd24-apr-0:1.5.1-1.el6.1.src",
        "relates_to_product_reference": "6Server-RHSCL-3.0-6.7.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
          "product_id": "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Server-RHSCL-3.0-6.7.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
          "product_id": "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Server-RHSCL-3.0-6.7.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
          "product_id": "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Server-RHSCL-3.0-6.7.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-0:1.5.1-1.el6.1.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
          "product_id": "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src"
        },
        "product_reference": "httpd24-apr-0:1.5.1-1.el6.1.src",
        "relates_to_product_reference": "6Server-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
          "product_id": "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Server-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
          "product_id": "6Server-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Server-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
          "product_id": "6Server-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Server-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-0:1.5.1-1.el6.1.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
          "product_id": "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src"
        },
        "product_reference": "httpd24-apr-0:1.5.1-1.el6.1.src",
        "relates_to_product_reference": "6Workstation-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
          "product_id": "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Workstation-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
          "product_id": "6Workstation-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Workstation-RHSCL-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64 as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
          "product_id": "6Workstation-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64"
        },
        "product_reference": "httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
        "relates_to_product_reference": "6Workstation-RHSCL-3.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-12613",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "discovery_date": "2017-10-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1506523"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apr: Out-of-bounds array deref in apr_time_exp*() functions",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.src",
          "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
          "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
          "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
          "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src",
          "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
          "6Server-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
          "6Server-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
          "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src",
          "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
          "6Workstation-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
          "6Workstation-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-12613"
        },
        {
          "category": "external",
          "summary": "RHBZ#1506523",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1506523"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-12613",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-12613"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-12613",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12613"
        },
        {
          "category": "external",
          "summary": "http://www.apache.org/dist/apr/Announcement1.x.html",
          "url": "http://www.apache.org/dist/apr/Announcement1.x.html"
        }
      ],
      "release_date": "2017-10-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2018-02-13T17:19:19+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nApplications using the APR libraries, such as httpd, must be restarted for this update to take effect.",
          "product_ids": [
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.src",
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src",
            "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
            "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src",
            "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
            "6Workstation-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
            "6Workstation-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2018:0316"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.src",
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0-6.7.Z:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src",
            "6Server-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
            "6Server-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64",
            "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.src",
            "6Workstation-RHSCL-3.0:httpd24-apr-0:1.5.1-1.el6.1.x86_64",
            "6Workstation-RHSCL-3.0:httpd24-apr-debuginfo-0:1.5.1-1.el6.1.x86_64",
            "6Workstation-RHSCL-3.0:httpd24-apr-devel-0:1.5.1-1.el6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "apr: Out-of-bounds array deref in apr_time_exp*() functions"
    }
  ]
}

cve-2017-12613

Vulnerability from cvelistv5

Published

2017-10-24 01:00

Modified

2024-08-05 18:43

Severity ?

Summary

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

References

▼	URL	Tags
	https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html	mailing-list, x_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2018:0316	vendor-advisory, x_refsource_REDHAT
	https://svn.apache.org/viewvc?view=revision&revision=1807976	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1042004	vdb-entry, x_refsource_SECTRACK
	https://access.redhat.com/errata/RHSA-2017:3475	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:0465	vendor-advisory, x_refsource_REDHAT
	http://www.apache.org/dist/apr/Announcement1.x.html	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2017:3270	vendor-advisory, x_refsource_REDHAT
	https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E	mailing-list, x_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2017:3476	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:1253	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2017:3477	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2018:0466	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/101560	vdb-entry, x_refsource_BID
	https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9%40%3Ccommits.apr.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339%40%3Ccommits.apr.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/08/23/1	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html	mailing-list, x_refsource_MLIST

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache Portable Runtime

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.151Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20171106 [SECURITY] [DLA 1162-1] apr security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html"
          },
          {
            "name": "RHSA-2018:0316",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0316"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1807976"
          },
          {
            "name": "1042004",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1042004"
          },
          {
            "name": "RHSA-2017:3475",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3475"
          },
          {
            "name": "RHSA-2018:0465",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0465"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.apache.org/dist/apr/Announcement1.x.html"
          },
          {
            "name": "RHSA-2017:3270",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3270"
          },
          {
            "name": "[announce] 20171023 Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "RHSA-2017:3476",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3476"
          },
          {
            "name": "RHSA-2018:1253",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1253"
          },
          {
            "name": "RHSA-2017:3477",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2017:3477"
          },
          {
            "name": "RHSA-2018:0466",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0466"
          },
          {
            "name": "101560",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101560"
          },
          {
            "name": "[apr-commits] 20210816 svn commit: r1892358 - /apr/apr/branches/1.7.x/CHANGES",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9%40%3Ccommits.apr.apache.org%3E"
          },
          {
            "name": "[apr-commits] 20210820 svn commit: r49582 - /release/apr/patches/apr-1.7.0-CVE-2021-35940.patch",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339%40%3Ccommits.apr.apache.org%3E"
          },
          {
            "name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
          },
          {
            "name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
          },
          {
            "name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20220124 [SECURITY] [DLA 2897-1] apr security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Portable Runtime",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "1.6.2 and prior"
            }
          ]
        }
      ],
      "datePublic": "2017-10-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-25T01:06:07",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20171106 [SECURITY] [DLA 1162-1] apr security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html"
        },
        {
          "name": "RHSA-2018:0316",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0316"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1807976"
        },
        {
          "name": "1042004",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1042004"
        },
        {
          "name": "RHSA-2017:3475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3475"
        },
        {
          "name": "RHSA-2018:0465",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0465"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.apache.org/dist/apr/Announcement1.x.html"
        },
        {
          "name": "RHSA-2017:3270",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3270"
        },
        {
          "name": "[announce] 20171023 Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "RHSA-2017:3476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3476"
        },
        {
          "name": "RHSA-2018:1253",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1253"
        },
        {
          "name": "RHSA-2017:3477",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2017:3477"
        },
        {
          "name": "RHSA-2018:0466",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0466"
        },
        {
          "name": "101560",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101560"
        },
        {
          "name": "[apr-commits] 20210816 svn commit: r1892358 - /apr/apr/branches/1.7.x/CHANGES",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9%40%3Ccommits.apr.apache.org%3E"
        },
        {
          "name": "[apr-commits] 20210820 svn commit: r49582 - /release/apr/patches/apr-1.7.0-CVE-2021-35940.patch",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339%40%3Ccommits.apr.apache.org%3E"
        },
        {
          "name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
        },
        {
          "name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
        },
        {
          "name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20220124 [SECURITY] [DLA 2897-1] apr security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2017-12613",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Portable Runtime",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.6.2 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20171106 [SECURITY] [DLA 1162-1] apr security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html"
            },
            {
              "name": "RHSA-2018:0316",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0316"
            },
            {
              "name": "https://svn.apache.org/viewvc?view=revision\u0026revision=1807976",
              "refsource": "CONFIRM",
              "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1807976"
            },
            {
              "name": "1042004",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1042004"
            },
            {
              "name": "RHSA-2017:3475",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3475"
            },
            {
              "name": "RHSA-2018:0465",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0465"
            },
            {
              "name": "http://www.apache.org/dist/apr/Announcement1.x.html",
              "refsource": "CONFIRM",
              "url": "http://www.apache.org/dist/apr/Announcement1.x.html"
            },
            {
              "name": "RHSA-2017:3270",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3270"
            },
            {
              "name": "[announce] 20171023 Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E"
            },
            {
              "name": "RHSA-2017:3476",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3476"
            },
            {
              "name": "RHSA-2018:1253",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1253"
            },
            {
              "name": "RHSA-2017:3477",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2017:3477"
            },
            {
              "name": "RHSA-2018:0466",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0466"
            },
            {
              "name": "101560",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101560"
            },
            {
              "name": "[apr-commits] 20210816 svn commit: r1892358 - /apr/apr/branches/1.7.x/CHANGES",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9@%3Ccommits.apr.apache.org%3E"
            },
            {
              "name": "[apr-commits] 20210820 svn commit: r49582 - /release/apr/patches/apr-1.7.0-CVE-2021-35940.patch",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339@%3Ccommits.apr.apache.org%3E"
            },
            {
              "name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
            },
            {
              "name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E"
            },
            {
              "name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20220124 [SECURITY] [DLA 2897-1] apr security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2017-12613",
    "datePublished": "2017-10-24T01:00:00",
    "dateReserved": "2017-08-07T00:00:00",
    "dateUpdated": "2024-08-05T18:43:56.151Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted