The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache APR, httpd: denial of service via apr_fnmatch

Synthesis of the vulnerability 

An attacker can create a denial of service in applications using apr_fnmatch of APR. When mod_autoindex is activated in Apache httpd, a remote attacker can employ a special request in order to create a denial of service.
Vulnerable software: APR-core, APR-util, Apache httpd, Debian, BIG-IP Hardware, TMOS, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Mandriva Linux, NLD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity of this announce: 3/4.
Creation date: 12/05/2011.
Revisions dates: 12/05/2011, 13/05/2011.
Références of this computer vulnerability: 703390, c02997184, c03011498, c03025215, CERTA-2011-AVI-296, CERTA-2011-AVI-309, CERTA-2011-AVI-515, CERTA-2011-AVI-618, CERTA-2013-AVI-243, CVE-2011-0419, DSA-2237-1, DSA-2237-2, HPSBMU02704, HPSBUX02702, HPSBUX02707, MDVSA-2011:084, openSUSE-SU-2011:0859-1, PSN-2012-11-767, PSN-2013-02-846, RHSA-2011:0507-01, RHSA-2011:0896-01, RHSA-2011:0897-01, SOL15920, SSA:2011-133-01, SSRT100606, SSRT100619, SSRT100626, SUSE-SU-2011:0763-1, SUSE-SU-2011:0763-2, SUSE-SU-2011:0797-1, SUSE-SU-2011:1229-1, VIGILANCE-VUL-10645.

Description of the vulnerability 

The APR (Apache Portable Runtime) is a software library for the Apache web server making it portable when some features are not included in the operating system.

The apr_fnmatch() function of the APR library defines in "strings/apr_fnmatch.c" permit to check if a file name contains a shell pattern, such as "file*.txt". This function implements a recursive algorithm. However, if the search pattern contains many '*', the function is then called recursively many times, and consumes resources.

The Apache httpd mod_autoindex module generates index pages of directories.

The apr_fnmatch() function of the APR library is used by mod_autoindex for index generation corresponding to a model/filter. However when a directory contains long filenames is indexed by mod_autoindex, the apr_fnmatch() function consumes many resources, this causes a denial of service.

An attacker can therefore create a denial of service in applications using apr_fnmatch of APR.
When mod_autoindex is activated in Apache httpd, a remote attacker can therefore employ a special request in order to create a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as APR-core, APR-util, Apache httpd, Debian, BIG-IP Hardware, TMOS, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Mandriva Linux, NLD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, JBoss EAP by Red Hat, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this vulnerability alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer threat announce.

Solutions for this threat 

Apache APR: version 1.4.4.
The version 1.4.4 is corrected:
  http://apr.apache.org/download.cgi
  http://www.apache.org/dist/apr/

Apache APR: version 1.3.11.
The version 1.3.11 is corrected:
  http://apr.apache.org/download.cgi
  http://www.apache.org/dist/apr/

Apache httpd: version 2.2.18.
The version 2.2.18 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: workaround for apr_fnmatch.
A workaround is to set the IgnoreClient option in the IndexOptions directive.

Debian: new apr packages.
New packages are available:
  exim4 version 1.2.12-5+lenny3
  exim4 version 1.4.2-6+squeeze2

F5 BIG-IP: fixed versions for Apache.
Fixed versions are indicated in information sources.

HP OpenView NNM: Apache version 2.2.21.
The version Apache 2.2.21 is corrected:
  ftp.usa.hp.com
  user : sb02704
  password : Secure12

HP-UX: Apache version 2.2.15.08.01.
The following version is corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot

HP-UX: Apache Web Server corrected versions.
The following versions are corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot
HP-UX Web Server Suite (WSS) v2.34 containing Apache v2.0.64.02
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW234
  B.11.11 : HPUXWSATW-B234-1111.depot

Juniper NSM, NSMXpress: versions 2010.3s7, 2011.4s4, 2012.1.
Versions 2010.3s7, 2011.4s4 and 2012.1 are fixed:
  http://www.juniper.net/support/products/nsm/2012.1/

Junos Space: patch for Apache.
Patch 12.1P2.1 is available:
  http://www.juniper.net/support/downloads/?p=space#sw

Mandriva: new apr packages.
New packages are available:
 - Mandriva Enterprise Server 5: libapr1-1.3.3-2.2
 - Mandriva Corporate 4.0: libapr1-1.2.7-1.2
 - Mandriva Linux 2009.0: libapr1-1.3.3-2.2
 - Mandriva Linux 2010.0: libapr1-1.3.9-1.1
 - Mandriva Linux 2010.1: libapr1-1.4.2-1.1

Red Hat JBoss Enterprise Web Server: version 1.0.2.
The version 1.0.2 is corrected:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=1.0.2
  http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Web_Server/1.0/html-single/Release_Notes_1.0.2/index.html

RHEL: new apr packages.
New packages are available:
 - RHEL 4: apr-0.9.4-25.el4
 - RHEL 5: apr-1.2.7-11.el5
 - RHEL 6: apr-1.3.9-3.el6

Slackware: new apr, apr-util packages.
New packages are available:
  apr-1.4.4
  apr-util-1.3.11

Solaris: patch for Apache HTTP Server.
A patch is available:
  Solaris 8
    SPARC: 116973-10
    X86: 116974-10
  Solaris 9
    SPARC: 113146-14
     X86: 114145-13
  Solaris 10
     SPARC: 122911-26
     X86: 122912-26

Solaris: patch for APR.
A patch is available:
Solaris 10
  SPARC: 120543-24
  X86: 120544-24
Solaris 11 Express
  snv_151a + 7049240

Solaris: patch for C Library.
A patch is available:
  Solaris 9 :
    SPARC: 112874-48
    X86: 122301-64
  Solaris 10 :
    SPARC: 147713-01
    X86: 147714-01

SUSE CORE 9: new apache2 packages.
New packages are available:
  apache2-2.0.59-1.20

SUSE LE 10 SP3: new apache2 packages.
New packages are available:
  apache2-2.2.3-16.32.37.1

SUSE: new libapr packages.
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security watch. The technology watch team tracks security threats targeting the computer system.