Vulnerability CVE-2009-2412


Published: 2009-08-06   Modified: 2010-08-21

Description:
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.

Type:

CWE-189

(Numeric Errors)

Vendor: Apache
Product: Apr-util 
Version:
1.3.8
1.3.7
1.3.6-dev
1.3.6
1.3.5
1.3.4-dev
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
0.9.9
0.9.8
0.9.7-dev
0.9.6
0.9.5
0.9.4
0.9.3-dev
0.9.3
0.9.2-dev
0.9.2
0.9.16
0.9.1
Product: Portable runtime 
Version:
1.3.8
1.3.7
1.3.6-dev
1.3.6
1.3.5
1.3.4-dev
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
0.9.9
0.9.8
0.9.7-dev
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3-dev
0.9.3
0.9.2-dev
0.9.2
0.9.16-dev
0.9.1

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/35949
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00353.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00320.html
http://www.vupen.com/english/advisories/2010/1107
http://www.vupen.com/english/advisories/2009/3184
http://www.ubuntu.com/usn/usn-813-2
http://www.mandriva.com/security/advisories?name=MDVSA-2009:195
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99482
http://www-01.ibm.com/support/docview.wss?uid=swg1PK93225
http://svn.apache.org/viewvc/apr/apr/branches/1.3.x/memory/unix/apr_pools.c?r1=678140&r2=800732
http://svn.apache.org/viewvc/apr/apr/branches/1.3.x/CHANGES?revision=800732&view=markup
http://svn.apache.org/viewvc/apr/apr/branches/0.9.x/memory/unix/apr_pools.c?r1=585356&r2=800733
http://svn.apache.org/viewvc/apr/apr/branches/0.9.x/CHANGES?revision=800733&view=markup
http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/misc/apr_rmm.c?r1=647687&r2=800735
http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/CHANGES?revision=800735&view=markup
http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/misc/apr_rmm.c?r1=230441&r2=800736
http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/CHANGES?revision=800736&view=markup
http://support.apple.com/kb/HT3937
http://secunia.com/advisories/37221
http://secunia.com/advisories/37152
http://secunia.com/advisories/36233
http://secunia.com/advisories/36166
http://secunia.com/advisories/36140
http://secunia.com/advisories/36138
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9958
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8394
http://osvdb.org/56766
http://osvdb.org/56765
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Related CVE
CVE-2016-6816
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also ...
CVE-2017-5643
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
CVE-2016-8747
An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different...
CVE-2017-5638
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited i...
CVE-2017-3159
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2016-9571
Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialization vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to...
CVE-2017-6056
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backportin...
CVE-2016-6497
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.

Copyright 2017, cxsecurity.com