ID

VAR-201710-0928

CVE

CVE-2017-12613

TITLE

Apache Portable Runtime Buffer error vulnerability

DESCRIPTION

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. Apache Portable Runtime Contains a buffer error vulnerability.Information is obtained and service operation is interrupted (DoS) There is a possibility of being put into a state. Apache Portable Runtime Utility is prone to multiple information-disclosure vulnerabilities. An attacker can exploit these issues to obtain sensitive information that may aid in further attacks. Failed exploit attempts will result in denial-of-service conditions. Apache Portable Runtime Utility (APR-util) 1.6.2 and prior versions are vulnerable. 7.2) - x86_64 3. Security Fix(es): * apr: Out-of-bounds array deref in apr_time_exp*() functions (CVE-2017-12613) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 1493220 - CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload 1493222 - CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext 1494283 - CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 1506523 - CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions 1540824 - CVE-2017-15698 tomcat-native: Mishandling of client certificates can allow for OCSP check bypass 1548282 - CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users 1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 5. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). Summary: An update is now available for JBoss Core Services on RHEL 7. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. (CVE-2017-12613) * It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) * A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169) * A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno BAPck for reporting CVE-2017-9798. Bugs fixed (https://bugzilla.redhat.com/): 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed) 1506523 - CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions 6. JIRA issues fixed (https://issues.jboss.org/): JBCS-402 - Errata for httpd 2.4.23.SP3 RHEL7 7. X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 28 Nov 2017 22:43:47 +0000 (UTC) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: apr security update Advisory ID: RHSA-2017:3270-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:3270 Issue date: 2017-11-28 CVE Names: CVE-2017-12613 ===================================================================== 1. Summary: An update for apr is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le 3. Description: The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es): * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Applications using the APR libraries, such as httpd, must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1506523 - CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: apr-1.3.9-5.el6_9.1.src.rpm i386: apr-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm x86_64: apr-1.3.9-5.el6_9.1.i686.rpm apr-1.3.9-5.el6_9.1.x86_64.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm x86_64: apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.x86_64.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: apr-1.3.9-5.el6_9.1.src.rpm x86_64: apr-1.3.9-5.el6_9.1.i686.rpm apr-1.3.9-5.el6_9.1.x86_64.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.x86_64.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: apr-1.3.9-5.el6_9.1.src.rpm i386: apr-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm ppc64: apr-1.3.9-5.el6_9.1.ppc.rpm apr-1.3.9-5.el6_9.1.ppc64.rpm apr-debuginfo-1.3.9-5.el6_9.1.ppc.rpm apr-debuginfo-1.3.9-5.el6_9.1.ppc64.rpm apr-devel-1.3.9-5.el6_9.1.ppc.rpm apr-devel-1.3.9-5.el6_9.1.ppc64.rpm s390x: apr-1.3.9-5.el6_9.1.s390.rpm apr-1.3.9-5.el6_9.1.s390x.rpm apr-debuginfo-1.3.9-5.el6_9.1.s390.rpm apr-debuginfo-1.3.9-5.el6_9.1.s390x.rpm apr-devel-1.3.9-5.el6_9.1.s390.rpm apr-devel-1.3.9-5.el6_9.1.s390x.rpm x86_64: apr-1.3.9-5.el6_9.1.i686.rpm apr-1.3.9-5.el6_9.1.x86_64.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.x86_64.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: apr-1.3.9-5.el6_9.1.src.rpm i386: apr-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm x86_64: apr-1.3.9-5.el6_9.1.i686.rpm apr-1.3.9-5.el6_9.1.x86_64.rpm apr-debuginfo-1.3.9-5.el6_9.1.i686.rpm apr-debuginfo-1.3.9-5.el6_9.1.x86_64.rpm apr-devel-1.3.9-5.el6_9.1.i686.rpm apr-devel-1.3.9-5.el6_9.1.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: apr-1.4.8-3.el7_4.1.src.rpm x86_64: apr-1.4.8-3.el7_4.1.i686.rpm apr-1.4.8-3.el7_4.1.x86_64.rpm apr-debuginfo-1.4.8-3.el7_4.1.i686.rpm apr-debuginfo-1.4.8-3.el7_4.1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: apr-debuginfo-1.4.8-3.el7_4.1.i686.rpm apr-debuginfo-1.4.8-3.el7_4.1.x86_64.rpm apr-devel-1.4.8-3.el7_4.1.i686.rpm apr-devel-1.4.8-3.el7_4.1.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: apr-1.4.8-3.el7_4.1.src.rpm x86_64: apr-1.4.8-3.el7_4.1.i686.rpm apr-1.4.8-3.el7_4.1.x86_64.rpm apr-debuginfo-1.4.8-3.el7_4.1.i686.rpm apr-debuginfo-1.4.8-3.el7_4.1.x86_64.rpm apr-devel-1.4.8-3.el7_4.1.i686.rpm apr-devel-1.4.8-3.el7_4.1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: apr-1.4.8-3.el7_4.1.src.rpm ppc64: apr-1.4.8-3.el7_4.1.ppc.rpm apr-1.4.8-3.el7_4.1.ppc64.rpm apr-debuginfo-1.4.8-3.el7_4.1.ppc.rpm apr-debuginfo-1.4.8-3.el7_4.1.ppc64.rpm apr-devel-1.4.8-3.el7_4.1.ppc.rpm apr-devel-1.4.8-3.el7_4.1.ppc64.rpm ppc64le: apr-1.4.8-3.el7_4.1.ppc64le.rpm apr-debuginfo-1.4.8-3.el7_4.1.ppc64le.rpm apr-devel-1.4.8-3.el7_4.1.ppc64le.rpm s390x: apr-1.4.8-3.el7_4.1.s390.rpm apr-1.4.8-3.el7_4.1.s390x.rpm apr-debuginfo-1.4.8-3.el7_4.1.s390.rpm apr-debuginfo-1.4.8-3.el7_4.1.s390x.rpm apr-devel-1.4.8-3.el7_4.1.s390.rpm apr-devel-1.4.8-3.el7_4.1.s390x.rpm x86_64: apr-1.4.8-3.el7_4.1.i686.rpm apr-1.4.8-3.el7_4.1.x86_64.rpm apr-debuginfo-1.4.8-3.el7_4.1.i686.rpm apr-debuginfo-1.4.8-3.el7_4.1.x86_64.rpm apr-devel-1.4.8-3.el7_4.1.i686.rpm apr-devel-1.4.8-3.el7_4.1.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: apr-1.4.8-3.el7_4.1.src.rpm aarch64: apr-1.4.8-3.el7_4.1.aarch64.rpm apr-debuginfo-1.4.8-3.el7_4.1.aarch64.rpm apr-devel-1.4.8-3.el7_4.1.aarch64.rpm ppc64le: apr-1.4.8-3.el7_4.1.ppc64le.rpm apr-debuginfo-1.4.8-3.el7_4.1.ppc64le.rpm apr-devel-1.4.8-3.el7_4.1.ppc64le.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: apr-1.4.8-3.el7_4.1.src.rpm x86_64: apr-1.4.8-3.el7_4.1.i686.rpm apr-1.4.8-3.el7_4.1.x86_64.rpm apr-debuginfo-1.4.8-3.el7_4.1.i686.rpm apr-debuginfo-1.4.8-3.el7_4.1.x86_64.rpm apr-devel-1.4.8-3.el7_4.1.i686.rpm apr-devel-1.4.8-3.el7_4.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-12613 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaHeYxXlSAg2UNWIIRAq68AJ40znkuoeryDgG2kL1l2MTpL+oD6wCggb4M AW0e3FjuWmFdkBHik4lmxdc= =vZ+z -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS