CVE-2017-12613 — HIGH (7.1)

Q: How severe is CVE-2017-12613?

CVE-2017-12613 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-12613?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Portable Runtime, Debian Debian Linux, Redhat Jboss Core Services, Redhat Jboss Enterprise Web Server, Redhat Software Collections.

Vulnerability Description

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Portable Runtime	< 1.7.0
Debian	Debian Linux	7.0
Redhat	Jboss Core Services	-
Redhat	Jboss Enterprise Web Server	3.0.0
Redhat	Software Collections	1.0
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Eus	6.7
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	6.4
Redhat	Enterprise Linux Server Tus	6.6
Redhat	Enterprise Linux Workstation	6.0

Related Weaknesses (CWE)

CWE-125

References

http://www.apache.org/dist/apr/Announcement1.x.htmlRelease NotesVendor Advisory
http://www.openwall.com/lists/oss-security/2021/08/23/1Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/101560Broken Link
http://www.securitytracker.com/id/1042004Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:3270Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3475Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3476Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3477Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0316Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1253Third Party Advisory
https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80Issue TrackingVendor Advisory
https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757
https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b0

FAQ

What is CVE-2017-12613?

CVE-2017-12613 is a vulnerability with a CVSS score of 7.1 (HIGH). When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting th...

How severe is CVE-2017-12613?

CVE-2017-12613 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-12613?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Portable Runtime, Debian Debian Linux, Redhat Jboss Core Services, Redhat Jboss Enterprise Web Server, Redhat Software Collections.