Apache 2.2 < 2.2.13 APR apr_palloc Heap Overflow

This script is Copyright (C) 2012 Tenable Network Security, Inc.

Synopsis :

The remote web server is affected by a buffer overflow

Description :

According to its self-reported banner, the version of Apache 2.2
installed on the remote host is older than 2.2.13. As such, it
includes a bundled version of the Apache Portable Runtime (APR)
library that contains a flaw in 'apr_palloc()' that could cause a heap

Note that the Apache HTTP server itself does not pass unsanitized,
user-provided sizes to this function so it could only be triggered
through some other application that uses it in a vulnerable way.

See also :


Solution :

Upgrade to Apache 2.2.13 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 7.4
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 57603 ()

Bugtraq ID: 35949

CVE ID: CVE-2009-2412