Re: About apache2 vulnerability with apr and apr-utils. How bad is it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello William.


You mentioned as far as APR causing a DoS, how about the execution of arbitrary code through apache as the CVE says..?

Thank you

Daniel

On Thu, Sep 10, 2009 at 6:54 PM, William A. Rowe, Jr. <wrowe@xxxxxxxxxxxxx> wrote:
David Taveras wrote:
>
> I run apache 2.2.9 & apache 2.2.11 both with  apr-1.2.11p2   &
> apr-util-1.2.10p2
>
> According to the CVE at
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412  only  0.9.x
> and 1.3.x are affected .  Could anybody confirm that this is so? If
> not.. how bad is this vulnerability to a user? Would mod_security help
> for this?

[cc'ing dev@ to point out this error]

The description of the CVE is wildly wrong.

There is no known exploit of these flaws relative to Apache httpd itself.
The version numbers you reference refer to APR, so this is applicable to
all distributions of httpd 2.x (2.0 included 0.9, 2.2 included 1.3).

Third party modules might be affected; Other projects or products using APR
may be affected; one project is known to be affected.

However, any code which is affected remains vulnerable, in that these
bugs would only be triggered by using untainted/untrusted input as the
memory allocation size.  Any affected application would be subject to
memory exhaustion DoS vectors until the code properly detaints the input
which determines the size of memory allocations.

This was granted a CVE strictly on the basis that the effects of the flaw
may unexpectedly be worse than expected; the affected code may unexpectedly
continue, rather than failing or segfaulting as expected, based on design.

Finally, mod_security is very unlikely to have any effect whatsoever on
this group of issues.  Input into httpd is already constrained in terms
of size before these calls to APR occur, so this is unlikely to affect
typical httpd modules.  Non-HTTP protocols, or HTTP implementations other
than httpd are more likely to be affected, again depending upon the code
used and caution exercised by the developer.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux