The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache APR-core: out-of-bounds memory reading via apr_exp_tim

Synthesis of the vulnerability 

An attacker can force a read at an invalid address via apr_exp_tim() of Apache APR-core, in order to trigger a denial of service, or to obtain sensitive information.
Impacted software: APR-core, Mac OS X, Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, openSUSE Leap, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity of this computer vulnerability: 2/4.
Creation date: 24/10/2017.
Références of this announce: bulletinjul2018, bulletinjul2019, CVE-2017-12613, DLA-1162-1, FEDORA-2017-8d2cfc3752, HT209139, HT209193, JSA10873, K52319810, openSUSE-SU-2018:1214-1, RHSA-2017:3270-01, RHSA-2018:0465-01, RHSA-2018:0466-01, RHSA-2018:1253-01, SUSE-SU-2018:1322-1, VIGILANCE-VUL-24220.

Description of the vulnerability 

An attacker can force a read at an invalid address via apr_exp_tim() of Apache APR-core, in order to trigger a denial of service, or to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as APR-core, Mac OS X, Debian, BIG-IP Hardware, TMOS, Fedora, Junos Space, openSUSE Leap, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat 

Apache APR-core: version 1.6.3.
The version 1.6.3 is fixed:
  http://apr.apache.org/download.cgi

Apple macOS: version 10.14.
The version 10.14 is fixed:
  https://support.apple.com/

Apple macOS: version 10.14.1.
The version 10.14.1 is fixed:
  https://support.apple.com/

Debian 7: new apr packages.
New packages are available:
  Debian 7: apr 1.4.6-3+deb7u2

F5 BIG-IP: solution for APR.
The solution is indicated in information sources.

Fedora 26: new apr packages.
New packages are available:
  Fedora 26: apr 1.6.3-1.fc26

Junos Space: solution.
The solution is indicated in information sources.

openSUSE Leap 42.3: new libapr1 packages.
New packages are available:
  openSUSE Leap 42.3: libapr1 1.5.1-9.3.1

Oracle Solaris: patch for third party software of July 2018 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle Solaris: patch for third party software of July 2019 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Red Hat JBoss Web Server: version 3.1.0 Service Pack 2.
The version 3.1.0 Service Pack 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1

RHEL: new apr packages.
New packages are available:
  RHEL 6: apr 1.3.9-5.el6_9.1
  RHEL 7: apr 1.4.8-3.el7_4.1

SUSE LE 11 SP4: new libapr1 packages.
New packages are available:
  SUSE LE 11 SP4: libapr1 1.3.3-11.18.19.13.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.