CVE编号
CVE-2017-12613利用情况
暂无补丁情况
官方补丁披露时间
2017-10-24漏洞描述
当在Apache Portable Runtime APR 1.6.2及更早版本中使用无效的month field value调用apr_time_exp*() or apr_os_exp_time*() 函数时,可以在将此值转换为apr_time_exp_t值时访问超出范围内存,可能会泄露内容不同的静态堆值或导致程序终止,并且可能显示出对使用未经验证的外部输入调用这些APR功能的应用程序的信息泄露或拒绝服务漏洞。解决建议
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E
参考链接 |
|
|---|---|
| http://www.apache.org/dist/apr/Announcement1.x.html | |
| http://www.openwall.com/lists/oss-security/2021/08/23/1 | |
| http://www.securityfocus.com/bid/101560 | |
| http://www.securitytracker.com/id/1042004 | |
| https://access.redhat.com/errata/RHSA-2017:3270 | |
| https://access.redhat.com/errata/RHSA-2017:3475 | |
| https://access.redhat.com/errata/RHSA-2017:3476 | |
| https://access.redhat.com/errata/RHSA-2017:3477 | |
| https://access.redhat.com/errata/RHSA-2018:0316 | |
| https://access.redhat.com/errata/RHSA-2018:0465 | |
| https://access.redhat.com/errata/RHSA-2018:0466 | |
| https://access.redhat.com/errata/RHSA-2018:1253 | |
| https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789d... | |
| https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43... | |
| https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c13838... | |
| https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c... | |
| https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a... | |
| https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b2... | |
| https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html | |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html | |
| https://svn.apache.org/viewvc?view=revision&revision=1807976 |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | portable_runtime | * |
Up to (including) 1.6.2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_7 | apr | * |
Up to (excluding) 0:1.3.9-5.el6_9.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12 | libapr1 | * |
Up to (excluding) 1.5.1-4.3 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04_lts | apr | * |
Up to (excluding) 1.6.3-2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.10 | apr | * |
Up to (excluding) 1.6.3-2 |
|||||
- 攻击路径 本地
- 攻击复杂度 复杂
- 权限要求 普通权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 100
还没有评论,来说两句吧...