Risk | High |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2021-35940 CVE-2022-24963 CVE-2017-12613 |
CWE-ID | CWE-125 CWE-190 CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system apr Operating systems & Components / Operating system package or component |
Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU56059
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-35940
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a boundary condition in the "apr_time_exp*()" functions. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
Note, the vulnerability exists due to a missing patch for #VU9477 (CVE-2017-12613).
Update the affected packages:
aarch64:Vulnerable software versions
apr-debuginfo-1.7.2-2.amzn2023.0.2.aarch64
apr-1.7.2-2.amzn2023.0.2.aarch64
apr-debugsource-1.7.2-2.amzn2023.0.2.aarch64
apr-devel-1.7.2-2.amzn2023.0.2.aarch64
src:
apr-1.7.2-2.amzn2023.0.2.src
x86_64:
apr-debuginfo-1.7.2-2.amzn2023.0.2.x86_64
apr-debugsource-1.7.2-2.amzn2023.0.2.x86_64
apr-1.7.2-2.amzn2023.0.2.x86_64
apr-devel-1.7.2-2.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
apr: before 1.7.2-2
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-016.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU71752
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-24963
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the apr_encode() function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
apr-debuginfo-1.7.2-2.amzn2023.0.2.aarch64
apr-1.7.2-2.amzn2023.0.2.aarch64
apr-debugsource-1.7.2-2.amzn2023.0.2.aarch64
apr-devel-1.7.2-2.amzn2023.0.2.aarch64
src:
apr-1.7.2-2.amzn2023.0.2.src
x86_64:
apr-debuginfo-1.7.2-2.amzn2023.0.2.x86_64
apr-debugsource-1.7.2-2.amzn2023.0.2.x86_64
apr-1.7.2-2.amzn2023.0.2.x86_64
apr-devel-1.7.2-2.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
apr: before 1.7.2-2
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-016.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU9477
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12613
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an out-of-bounds array dereference in the
apr_time_exp_get() function. A remote attacker can access prior
out-of-bounds memory, reveal the contents of a different static heap
value and read arbitrary files or cause the application to crash.
Update the affected packages:
aarch64:Vulnerable software versions
apr-debuginfo-1.7.2-2.amzn2023.0.2.aarch64
apr-1.7.2-2.amzn2023.0.2.aarch64
apr-debugsource-1.7.2-2.amzn2023.0.2.aarch64
apr-devel-1.7.2-2.amzn2023.0.2.aarch64
src:
apr-1.7.2-2.amzn2023.0.2.src
x86_64:
apr-debuginfo-1.7.2-2.amzn2023.0.2.x86_64
apr-debugsource-1.7.2-2.amzn2023.0.2.x86_64
apr-1.7.2-2.amzn2023.0.2.x86_64
apr-devel-1.7.2-2.amzn2023.0.2.x86_64
Amazon Linux AMI: All versions
apr: before 1.7.2-2
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2023-016.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.