Amazon Linux AMI update for apr

Published: 2024-08-06

Risk	High
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2021-35940 CVE-2022-24963 CVE-2017-12613
CWE-ID	CWE-125 CWE-190 CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Amazon Linux AMI Operating systems & Components / Operating system apr Operating systems & Components / Operating system package or component
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU56059

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35940

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a boundary condition in the "apr_time_exp*()" functions. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.

Note, the vulnerability exists due to a missing patch for #VU9477 (CVE-2017-12613).

Mitigation

Update the affected packages:

aarch64:
    apr-debuginfo-1.7.2-2.amzn2023.0.2.aarch64
    apr-1.7.2-2.amzn2023.0.2.aarch64
    apr-debugsource-1.7.2-2.amzn2023.0.2.aarch64
    apr-devel-1.7.2-2.amzn2023.0.2.aarch64

src:
    apr-1.7.2-2.amzn2023.0.2.src

x86_64:
    apr-debuginfo-1.7.2-2.amzn2023.0.2.x86_64
    apr-debugsource-1.7.2-2.amzn2023.0.2.x86_64
    apr-1.7.2-2.amzn2023.0.2.x86_64
    apr-devel-1.7.2-2.amzn2023.0.2.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

apr: before 1.7.2-2

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-016.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU71752

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24963

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow within the apr_encode() function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

aarch64:
    apr-debuginfo-1.7.2-2.amzn2023.0.2.aarch64
    apr-1.7.2-2.amzn2023.0.2.aarch64
    apr-debugsource-1.7.2-2.amzn2023.0.2.aarch64
    apr-devel-1.7.2-2.amzn2023.0.2.aarch64

src:
    apr-1.7.2-2.amzn2023.0.2.src

x86_64:
    apr-debuginfo-1.7.2-2.amzn2023.0.2.x86_64
    apr-debugsource-1.7.2-2.amzn2023.0.2.x86_64
    apr-1.7.2-2.amzn2023.0.2.x86_64
    apr-devel-1.7.2-2.amzn2023.0.2.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

apr: before 1.7.2-2

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-016.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

EUVDB-ID: #VU9477

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12613

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to an out-of-bounds array dereference in the apr_time_exp_get() function. A remote attacker can access prior out-of-bounds memory, reveal the contents of a different static heap value and read arbitrary files or cause the application to crash.

Mitigation

Update the affected packages:

aarch64:
    apr-debuginfo-1.7.2-2.amzn2023.0.2.aarch64
    apr-1.7.2-2.amzn2023.0.2.aarch64
    apr-debugsource-1.7.2-2.amzn2023.0.2.aarch64
    apr-devel-1.7.2-2.amzn2023.0.2.aarch64

src:
    apr-1.7.2-2.amzn2023.0.2.src

x86_64:
    apr-debuginfo-1.7.2-2.amzn2023.0.2.x86_64
    apr-debugsource-1.7.2-2.amzn2023.0.2.x86_64
    apr-1.7.2-2.amzn2023.0.2.x86_64
    apr-devel-1.7.2-2.amzn2023.0.2.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

apr: before 1.7.2-2

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2023-016.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.