Apache Portable Runtime Library apr_time_exp_get() Out-of-Bounds Array Dereference Vulnerability
CVE Number – CVE-2017-12613
A vulnerability in Apache Portable Runtime Library could allow an unauthenticated, remote attacker to gain access to sensitive information on a targeted system.
The vulnerability is due to an out-of-bounds array dereference in the apr_time_exp_get() function of the affected software. An attacker could exploit this vulnerability by accessing prior out-of-bounds memory. A successful exploit could allow the attacker to gain access to sensitive information or cause a denial of service (DoS) condition on the targeted system.
The Apache Software Foundation has confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, the attacker may need access to trusted or internal networks to transmit malicious data to a targeted system. This access requirement could reduce the likelihood of a successful exploit.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.
-
The Apache Software Foundation has released a security announcement at the following link: CVE-2017-12613
Red Hat has released an official CVE statement and security advisories for bug 1506523 at the following links: CVE-2017-12613, RHSA-2017-3475, RHSA-2017-3476, RHSA-2017-3477, and RHSA-2018-0316
-
The Apache Software Foundation has released software updates at the following link: APR-util 1.6.3
CentOS packages can be updated using the up2date or yum command.
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later by using the yum tool.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.