The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache APR-util: denial of service via apr_strmatch

Synthesis of the vulnerability 

An attacker can create a denial of service in applications using apr_strmatch of APR-util.
Vulnerable products: APR-util, Apache httpd, Debian, Fedora, HP-UX, WebSphere AS Traditional, NSM Central Manager, NSMXpress, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, RHEL, Slackware, SLES.
Severity of this weakness: 2/4.
Creation date: 05/06/2009.
Références of this bulletin: BID-35221, c02579879, CERTA-2009-AVI-244, CERTA-2009-AVI-408, CERTA-2009-AVI-471, CERTA-2012-AVI-023, CVE-2009-0023, DSA-1812-1, FEDORA-2009-5969, FEDORA-2009-6014, FEDORA-2009-6261, HPSBUX02612, MDVSA-2009:131, MDVSA-2009:131-1, MDVSA-2009:314, PK87176, PK88341, PK88342, PK91361, PK99477, PK99478, PK99480, PSN-2012-11-767, RHSA-2009:1107-01, RHSA-2009:1108-01, RHSA-2009:1160-01, RHSA-2010:0602-02, SSA:2009-167-02, SSA:2009-214-01, SSRT100345, SUSE-SR:2009:013, VIGILANCE-VUL-8766.

Description of the vulnerability 

The Apache APR-util library offers the strmatch module which searches a pattern in a string, using the Boyer-Moore-Horspool algorithm.

This algorithm uses a shift related to the offset of a character from the end of the pattern. For example, if the pattern is "cherche":
 - the shift of 'e' is 4 (chErche, the last 'e' is ignored)
 - the shift of 'h' is 1 (chercHe)
 - the shift of 'c' is 2 (cherChe)
 - the shift of 'r' is 3 (cheRche)

The strmatch module uses an array of 256 characters indicating the shift of each character (shift['e']=4, etc.). However, the character is stored in a signed "char". When the character is superior to 127, the index in the shift table is negative, which forces a read at an invalid address.

An attacker can therefore use a pattern containing characters superior to 127 in order to stop applications linked to Apache APR-util.

For example, following applications are vulnerable:
 - Apache httpd via a .htaccess file
 - mod_dav_svn if the "SVNMasterURI" directive is used
 - mod_apreq2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat announce impacts software or systems such as APR-util, Apache httpd, Debian, Fedora, HP-UX, WebSphere AS Traditional, NSM Central Manager, NSMXpress, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, RHEL, Slackware, SLES.

Our Vigil@nce team determined that the severity of this cybersecurity alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security alert.

Solutions for this threat 

Apache httpd: version 2.2.12.
Version 2.2.12 is corrected:
  http://httpd.apache.org/

Apache APR-util: version 1.3.7.
Version 1.3.7 is corrected:
  http://apr.apache.org/download.cgi
  http://www.apache.org/dist/apr/

Apache APR-util: version 0.9.7.
Version 0.9.7 is corrected:
  http://apr.apache.org/download.cgi

Apache APR-util: patch for apr_strmatch.
A patch is available in information sources.

Debian: new apr-util packages.
New packages are available:
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-*_1.2.7+dfsg-2+etch2_*.deb
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-*_1.2.12+dfsg-8+lenny2_*.deb

Fedora: new apr-util packages.
New packages are available:
  apr-util-1.2.12-7.fc9
  apr-util-1.3.7-1.fc10
  apr-util-1.3.7-1.fc11

HP-UX: Apache version B.2.0.63.01.
The version B.2.0.63.01 is corrected:
  http://software.hp.com/

Juniper NSM, NSMXpress: versions 2010.3s7, 2011.4s4, 2012.1.
Versions 2010.3s7, 2011.4s4 and 2012.1 are fixed:
  http://www.juniper.net/support/products/nsm/2012.1/

Mandriva 2008.0: new apr packages.
New packages are available:
  apr-1.2.11-1.1mdv2008.0

Mandriva: new apr-util packages.
New packages are available:
  Mandriva Linux 2008.1: apr-util-1.2.12-4.1mdv2008.1
  Mandriva Linux 2009.0: apr-util-1.3.4-2.1mdv2009.0
  Mandriva Linux 2009.1: apr-util-1.3.4-9.1mdv2009.1
  Corporate 3.0: apache2-2.0.48-6.20.C30mdk
  Corporate 4.0: apr-util-1.2.7-6.1.20060mlcs4
  Multi Network Firewall 2.0: apache2-2.0.48-6.20.C30mdk

RHEL 3: new httpd packages.
New packages are available:
Red Hat Enterprise Linux version 3: httpd-2.0.46-73.ent

RHEL 4, 5: new apr-util packages.
New packages are available:
Red Hat Enterprise Linux version 4: apr-util-0.9.4-22.el4_8.1
Red Hat Enterprise Linux version 5: apr-util-1.2.7-7.el5_3.1

RHEL 4 JBoss: new httpd22 packages.
New packages are available:
JBoss Enterprise Web Server 4AS-JBEWS-5.0.0:
  httpd22-2.2.10-23.1.ep5.el4

RHEL 4: new Red Hat Certificate System 7.3 packages.
New packages are available, as indicated in information sources.

Slackware: new apr-util packages.
New packages are available:
Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/apr-1.3.5-i486-1_slack11.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/apr-util-1.3.7-i486-1_slack11.0.tgz
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-1.3.5-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-util-1.3.7-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-1.3.5-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-util-1.3.7-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-1.3.5-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-util-1.3.7-i486-1_slack12.2.tgz

Slackware: new httpd packages.
New packages are available:
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.12-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.12-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.12-i486-1_slack12.2.tgz

Solaris 10: patch for APR-util.
A patch is available:
  SPARC: 120543-18
  X86: 120544-18

SUSE: new packages (11/08/2009).
New packages are available.

WebSphere AS: APAR for Apache.
An APAR is available:
IBM (PK87176):
  http://www-01.ibm.com/support/docview.wss?uid=swg1PK99477
IBM (PK88341, PK88342):
  http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478
IBM (PK91361):
  http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities alert. The Vigil@nce vulnerability database contains several thousand vulnerabilities.