Vulnerability CVE-2009-2412


Published: 2009-08-06   Modified: 2010-08-21

Description:
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.

Type:

CWE-189

(Numeric Errors)

Vendor: Apache
Product: Apr-util 
Version:
1.3.8
1.3.7
1.3.6-dev
1.3.6
1.3.5
1.3.4-dev
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
0.9.9
0.9.8
0.9.7-dev
0.9.6
0.9.5
0.9.4
0.9.3-dev
0.9.3
0.9.2-dev
0.9.2
0.9.16
0.9.1
Product: Portable runtime 
Version:
1.3.8
1.3.7
1.3.6-dev
1.3.6
1.3.5
1.3.4-dev
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
0.9.9
0.9.8
0.9.7-dev
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3-dev
0.9.3
0.9.2-dev
0.9.2
0.9.16-dev
0.9.1

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/35949
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00353.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00320.html
http://www.vupen.com/english/advisories/2010/1107
http://www.vupen.com/english/advisories/2009/3184
http://www.ubuntu.com/usn/usn-813-2
http://www.mandriva.com/security/advisories?name=MDVSA-2009:195
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99482
http://www-01.ibm.com/support/docview.wss?uid=swg1PK93225
http://svn.apache.org/viewvc/apr/apr/branches/1.3.x/memory/unix/apr_pools.c?r1=678140&r2=800732
http://svn.apache.org/viewvc/apr/apr/branches/1.3.x/CHANGES?revision=800732&view=markup
http://svn.apache.org/viewvc/apr/apr/branches/0.9.x/memory/unix/apr_pools.c?r1=585356&r2=800733
http://svn.apache.org/viewvc/apr/apr/branches/0.9.x/CHANGES?revision=800733&view=markup
http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/misc/apr_rmm.c?r1=647687&r2=800735
http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/CHANGES?revision=800735&view=markup
http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/misc/apr_rmm.c?r1=230441&r2=800736
http://svn.apache.org/viewvc/apr/apr-util/branches/0.9.x/CHANGES?revision=800736&view=markup
http://support.apple.com/kb/HT3937
http://secunia.com/advisories/37221
http://secunia.com/advisories/37152
http://secunia.com/advisories/36233
http://secunia.com/advisories/36166
http://secunia.com/advisories/36140
http://secunia.com/advisories/36138
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9958
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8394
http://osvdb.org/56766
http://osvdb.org/56765
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Related CVE
CVE-2017-5659
Apache Traffic Server before 6.2.1 generates a coredump when there is a mismatch between content length and chunked encoding.
CVE-2016-5396
Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.
CVE-2017-5650
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application ...
CVE-2017-5651
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to th...
CVE-2017-5647
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file pr...
CVE-2017-5648
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrus...
CVE-2016-6808
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42.
CVE-2016-0779
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.

Copyright 2017, cxsecurity.com