ID CVE-2017-12613
Summary When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:portable_runtime:1.6.2
    cpe:2.3:a:apache:portable_runtime:1.6.2
CVSS
Base: 3.6
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0053.NASL
    description An update of [apr,ncurses] packages for PhotonOS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111902
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111902
    title Photon OS 2.0: Apr / Ncurses PHSA-2017-0053 (deprecated)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2018-005.NASL
    description The remote host is running Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - afpserver - AppleGraphicsControl - APR - ATS - CFNetwork - CoreAnimation - CoreCrypto - CoreFoundation - CUPS - Dictionary - dyld - Foundation - Heimdal - Hypervisor - ICU - Intel Graphics Driver - IOGraphics - IOHIDFamily - IOKit - IOUserEthernet - IPSec - Kernel - Login Window - mDNSOffloadUserClient - MediaRemote - Microcode - Perl - Ruby - Security - Spotlight - Symptom Framework - WiFi
    last seen 2019-02-21
    modified 2019-01-09
    plugin id 118573
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118573
    title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-005)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-450.NASL
    description This update fixes the following issues : - CVE-2017-12613: DoS or information disclosure in pr_exp_time*() or apr_os_exp_time*() functions (bsc#1064982). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-05-11
    plugin id 109719
    published 2018-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109719
    title openSUSE Security Update : libapr1 (openSUSE-2018-450)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1196-1.NASL
    description This update fixes the following issues : - CVE-2017-12613: DoS or information disclosure in pr_exp_time*() or apr_os_exp_time*() functions (bsc#1064982). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 109679
    published 2018-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109679
    title SUSE SLES12 Security Update : libapr1 (SUSE-SU-2018:1196-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-1_0-0093.NASL
    description An update of 'linux', 'krb5', 'subversion', 'apr', 'ncurses' packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111903
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111903
    title Photon OS 1.0: Apr / Krb5 / Linux / Ncurses / Subversion PHSA-2017-1.0-0093 (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-8D2CFC3752.NASL
    description Security fix + version update Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 104603
    published 2017-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104603
    title Fedora 26 : apr (2017-8d2cfc3752)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-3270.NASL
    description An update for apr is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104818
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104818
    title CentOS 6 / 7 : apr (CESA-2017:3270)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_14.NASL
    description The remote host is running a version of Mac OS X that is prior to 10.13.6 or is not macOS 10.14. It is, therefore, affected by multiple vulnerabilities in the following components : - afpserver - AppleGraphicsControl - Application Firewall - App Store - APR - ATS - Auto Unlock - Bluetooth - CFNetwork - CoreFoundation - CoreText - Crash Reporter - CUPS - Dictionary - Grand Central Dispatch - Heimdal - Hypervisor - iBooks - Intel Graphics Driver - IOHIDFamily - IOKit - IOUserEthernet - Kernel - LibreSSL - Login Window - mDNSOffloadUserClient - MediaRemote - Microcode - Security - Spotlight - Symptom Framework - Text - Wi-Fi Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 118178
    published 2018-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118178
    title macOS < 10.14 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3476.NASL
    description An update is now available for JBoss Core Services on RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613) * It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) * A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169) * A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Bock for reporting CVE-2017-9798.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 105368
    published 2017-12-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105368
    title RHEL 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.23 (RHSA-2017:3476) (Optionsbleed)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-1_0-0093_APR.NASL
    description An update of the apr package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121778
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121778
    title Photon OS 1.0: Apr PHSA-2017-1.0-0093
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1253.NASL
    description An update for apr is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux 6.6 Telco Extended Update Support, Red Hat Enterprise Linux 6.7 Extended Update Support, Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 7.3 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es) : * apr: Out-of-bounds array deref in apr_time_exp*() functions (CVE-2017-12613) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109391
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109391
    title RHEL 6 / 7 : apr (RHSA-2018:1253)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-928.NASL
    description An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.(CVE-2017-12613)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 105052
    published 2017-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105052
    title Amazon Linux AMI : apr (ALAS-2017-928)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-3270.NASL
    description An update for apr is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 105048
    published 2017-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105048
    title Virtuozzo 7 : apr / apr-devel (VZLSA-2017-3270)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL52319810.NASL
    description When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. (CVE-2017-12613) Impact This vulnerability may allow unauthorized information disclosure or denial of service.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 118678
    published 2018-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118678
    title F5 Networks BIG-IP : Apache Portable Runtime vulnerability (K52319810)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0053_APR.NASL
    description An update of the apr package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121776
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121776
    title Photon OS 2.0: Apr PHSA-2017-0053
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1162.NASL
    description It was discovered that there was an out-of-bounds memory vulnerability in apr, a support/portability library for various applications. When the apr_exp_time*() or apr_os_exp_time*() functions were invoked with an invalid month field value, out of bounds memory may have been be accessed when converting this value to an apr_time_exp_t value. This could have potentially revealed the contents of a different static heap value or resulted in program termination. For Debian 7 'Wheezy', this issue has been fixed in apr version 1.4.6-3+deb7u2. We recommend that you upgrade your apr packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 104412
    published 2017-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104412
    title Debian DLA-1162-1 : apr security update
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD_10_13_6_2018-002.NASL
    description The remote host is running macOS 10.13.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - fpserver - AppleGraphicsControl - APR - ATS - CFNetwork - CoreAnimation - CoreCrypto - CoreFoundation - CUPS - Dictionary - dyld - EFI - Foundation - Grand Central Dispatch - Heimdal - Hypervisor - ICU - Intel Graphics Driver - IOGraphics - IOHIDFamily - IOKit - IOUserEthernet - IPSec - Kernel - Login Window - mDNSOffloadUserClient - MediaRemote - Microcode - NetworkExtension - Security - Spotlight - Symptom Framework - WiFi
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 118575
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118575
    title macOS 10.13.6 Multiple Vulnerabilities (Security Update 2018-002)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3270.NASL
    description From Red Hat Security Advisory 2017:3270 : An update for apr is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 104838
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104838
    title Oracle Linux 6 / 7 : apr (ELSA-2017-3270)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0466.NASL
    description An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * apr: Out-of-bounds array deref in apr_time_exp*() functions (CVE-2017-12613) * tomcat: Remote Code Execution via JSP Upload (CVE-2017-12615) * tomcat: Information Disclosure when using VirtualDirContext (CVE-2017-12616) * tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617) * tomcat-native: Mishandling of client certificates can allow for OCSP check bypass (CVE-2017-15698) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 107208
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107208
    title RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 2 (RHSA-2018:0466)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3270.NASL
    description An update for apr is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104842
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104842
    title RHEL 6 / 7 : apr (RHSA-2017:3270)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1322-1.NASL
    description This update fixes the following issues : - CVE-2017-12613: DoS or information disclosure in pr_exp_time*() or apr_os_exp_time*() functions (bsc#1064982). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 109889
    published 2018-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109889
    title SUSE SLES11 Security Update : libapr1 (SUSE-SU-2018:1322-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1303.NASL
    description According to the version of the apr packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.(CVE-2017-12613) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104921
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104921
    title EulerOS 2.0 SP1 : apr (EulerOS-SA-2017-1303)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3477.NASL
    description An update is now available for JBoss Core Services on RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613) * It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) * A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169) * A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Bock for reporting CVE-2017-9798.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 105369
    published 2017-12-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105369
    title RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.23 (RHSA-2017:3477) (Optionsbleed)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1304.NASL
    description According to the version of the apr packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.(CVE-2017-12613) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 104922
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104922
    title EulerOS 2.0 SP2 : apr (EulerOS-SA-2017-1304)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-48368DE8C9.NASL
    description Security fix + version update Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 105866
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105866
    title Fedora 27 : apr (2017-48368de8c9)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171129_APR_ON_SL6_X.NASL
    description Security Fix(es) : - An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 104866
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104866
    title Scientific Linux Security Update : apr on SL6.x, SL7.x i386/x86_64
redhat via4
advisories
  • bugzilla
    id 1506523
    title CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment apr is earlier than 0:1.3.9-5.el6_9.1
            oval oval:com.redhat.rhsa:tst:20173270005
          • comment apr is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110507018
        • AND
          • comment apr-devel is earlier than 0:1.3.9-5.el6_9.1
            oval oval:com.redhat.rhsa:tst:20173270007
          • comment apr-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110507020
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhba:tst:20150364001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhba:tst:20150364002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhba:tst:20150364003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20150364004
      • OR
        • AND
          • comment apr is earlier than 0:1.4.8-3.el7_4.1
            oval oval:com.redhat.rhsa:tst:20173270014
          • comment apr is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110507018
        • AND
          • comment apr-devel is earlier than 0:1.4.8-3.el7_4.1
            oval oval:com.redhat.rhsa:tst:20173270013
          • comment apr-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110507020
    rhsa
    id RHSA-2017:3270
    released 2017-11-28
    severity Important
    title RHSA-2017:3270: apr security update (Important)
  • rhsa
    id RHSA-2017:3475
  • rhsa
    id RHSA-2017:3476
  • rhsa
    id RHSA-2017:3477
  • rhsa
    id RHSA-2018:0316
  • rhsa
    id RHSA-2018:0465
  • rhsa
    id RHSA-2018:0466
  • rhsa
    id RHSA-2018:1253
rpms
  • apr-0:1.3.9-5.el6_9.1
  • apr-devel-0:1.3.9-5.el6_9.1
  • apr-0:1.4.8-3.el7_4.1
  • apr-devel-0:1.4.8-3.el7_4.1
refmap via4
bid 101560
confirm
mlist
  • [announce] 20171023 Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released
  • [debian-lts-announce] 20171106 [SECURITY] [DLA 1162-1] apr security update
sectrack 1042004
Last major update 23-10-2017 - 21:29
Published 23-10-2017 - 21:29
Last modified 02-10-2019 - 20:03
Back to Top