Apache 2.2 < 2.2.13 APR apr_palloc Heap Overflow

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a buffer overflow
vulnerability.

Description :

According to its self-reported banner, the version of Apache 2.2
installed on the remote host is older than 2.2.13. As such, it
includes a bundled version of the Apache Portable Runtime (APR)
library that contains a flaw in 'apr_palloc()' that could cause a heap
overflow.

Note that the Apache HTTP server itself does not pass unsanitized,
user-provided sizes to this function so it could only be triggered
through some other application that uses it in a vulnerable way.

See also :

http://httpd.apache.org/security/vulnerabilities_22.html

Solution :

Upgrade to Apache 2.2.13 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 57603 ()

Bugtraq ID: 35949

CVE ID: CVE-2009-2412