The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache APR-util: denial of service via XML

Synthesis of the vulnerability 

An attacker can construct complex XML data in order to generate a denial of service in applications linked to APR-util.
Vulnerable software: APR-util, Apache httpd, Debian, Fedora, HP-UX, NSM Central Manager, NSMXpress, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, RHEL, Slackware, SLES.
Severity of this announce: 2/4.
Creation date: 04/06/2009.
Références of this computer vulnerability: BID-35253, c02579879, CVE-2009-1955, DSA-1812-1, FEDORA-2009-5969, FEDORA-2009-6014, FEDORA-2009-6261, HPSBUX02612, MDVSA-2009:131, MDVSA-2009:131-1, MDVSA-2009:314, PSN-2012-11-767, RHSA-2009:1107-01, RHSA-2009:1108-01, RHSA-2009:1160-01, RHSA-2010:0602-02, SSA:2009-167-02, SSA:2009-214-01, SSRT100345, SUSE-SR:2009:013, SUSE-SR:2010:011, VIGILANCE-VUL-8761.

Description of the vulnerability 

The Apache APR-util library implements an XML parser.

An XML entity (such as "&abc;") is used to define an alias of a character or of a text string.

An attacker can create an entity built with several entities, which are also built on several entities, etc. The equivalent entity is thus very complex and very large. When the XML parser of APR-util analyzes this entity, it consumes a large amount of resources.

An attacker can therefore construct complex XML data in order to generate a denial of service in applications linked to APR-util. The mod_webdav module is for example impacted.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat announce impacts software or systems such as APR-util, Apache httpd, Debian, Fedora, HP-UX, NSM Central Manager, NSMXpress, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, RHEL, Slackware, SLES.

Our Vigil@nce team determined that the severity of this computer vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this cybersecurity alert.

Solutions for this threat 

Apache httpd: version 2.2.12.
Version 2.2.12 is corrected:
  http://httpd.apache.org/

Apache APR-util: version 1.3.7.
Version 1.3.7 is corrected:
  http://apr.apache.org/download.cgi
  http://www.apache.org/dist/apr/

Apache APR-util: version 0.9.7.
Version 0.9.7 is corrected:
  http://apr.apache.org/download.cgi

Apache APR-util: patch for XML.
A patch is available in information sources.

Debian: new apr-util packages.
New packages are available:
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-*_1.2.7+dfsg-2+etch2_*.deb
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-*_1.2.12+dfsg-8+lenny2_*.deb

Fedora: new apr-util packages.
New packages are available:
  apr-util-1.2.12-7.fc9
  apr-util-1.3.7-1.fc10
  apr-util-1.3.7-1.fc11

HP-UX: Apache version B.2.0.63.01.
The version B.2.0.63.01 is corrected:
  http://software.hp.com/

Juniper NSM, NSMXpress: versions 2010.3s7, 2011.4s4, 2012.1.
Versions 2010.3s7, 2011.4s4 and 2012.1 are fixed:
  http://www.juniper.net/support/products/nsm/2012.1/

Mandriva 2008.0: new apr packages.
New packages are available:
  apr-1.2.11-1.1mdv2008.0

Mandriva: new apr-util packages.
New packages are available:
  Mandriva Linux 2008.1: apr-util-1.2.12-4.1mdv2008.1
  Mandriva Linux 2009.0: apr-util-1.3.4-2.1mdv2009.0
  Mandriva Linux 2009.1: apr-util-1.3.4-9.1mdv2009.1
  Corporate 3.0: apache2-2.0.48-6.20.C30mdk
  Corporate 4.0: apr-util-1.2.7-6.1.20060mlcs4
  Multi Network Firewall 2.0: apache2-2.0.48-6.20.C30mdk

RHEL 3: new httpd packages.
New packages are available:
Red Hat Enterprise Linux version 3: httpd-2.0.46-73.ent

RHEL 4, 5: new apr-util packages.
New packages are available:
Red Hat Enterprise Linux version 4: apr-util-0.9.4-22.el4_8.1
Red Hat Enterprise Linux version 5: apr-util-1.2.7-7.el5_3.1

RHEL 4 JBoss: new httpd22 packages.
New packages are available:
JBoss Enterprise Web Server 4AS-JBEWS-5.0.0:
  httpd22-2.2.10-23.1.ep5.el4

RHEL 4: new Red Hat Certificate System 7.3 packages.
New packages are available, as indicated in information sources.

Slackware: new apr-util packages.
New packages are available:
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/apr-1.3.5-i486-1_slack11.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/apr-util-1.3.7-i486-1_slack11.0.tgz
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-1.3.5-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-util-1.3.7-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-1.3.5-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-util-1.3.7-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-1.3.5-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-util-1.3.7-i486-1_slack12.2.tgz

Slackware: new httpd packages.
New packages are available:
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.12-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.12-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.12-i486-1_slack12.2.tgz

Solaris 10: patch for APR-util.
A patch is available:
  SPARC: 120543-18
  X86: 120544-18

SUSE: new packages (10/05/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (11/08/2009).
New packages are available.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.