CVE-2010-1623

MEDIUM

Description

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.

References

http://blogs.sun.com/security/entry/cve_2010_1623_memory_leak

http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049885.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049939.html

http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html

http://marc.info/?l=bugtraq&m=130168502603566&w=2

http://secunia.com/advisories/41701

http://secunia.com/advisories/42015

http://secunia.com/advisories/42361

http://secunia.com/advisories/42367

http://secunia.com/advisories/42403

http://secunia.com/advisories/42537

http://secunia.com/advisories/43211

http://secunia.com/advisories/43285

http://security-tracker.debian.org/tracker/CVE-2010-1623

http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.627828

http://svn.apache.org/viewvc?view=revision&revision=1003492

http://svn.apache.org/viewvc?view=revision&revision=1003493

http://svn.apache.org/viewvc?view=revision&revision=1003494

http://svn.apache.org/viewvc?view=revision&revision=1003495

http://svn.apache.org/viewvc?view=revision&revision=1003626

http://ubuntu.com/usn/usn-1021-1

http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3

http://www.mandriva.com/security/advisories?name=MDVSA-2010:192

http://www.redhat.com/support/errata/RHSA-2010-0950.html

http://www.redhat.com/support/errata/RHSA-2011-0896.html

http://www.redhat.com/support/errata/RHSA-2011-0897.html

http://www.securityfocus.com/bid/43673

http://www.ubuntu.com/usn/USN-1022-1

http://www.vupen.com/english/advisories/2010/2556

http://www.vupen.com/english/advisories/2010/2557

http://www.vupen.com/english/advisories/2010/2806

http://www.vupen.com/english/advisories/2010/3064

http://www.vupen.com/english/advisories/2010/3065

http://www.vupen.com/english/advisories/2010/3074

http://www.vupen.com/english/advisories/2011/0358

http://www-01.ibm.com/support/docview.wss?uid=swg1PM31601

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12800

Details

Source: MITRE

Published: 2010-10-04

Updated: 2017-09-19

Type: CWE-119

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:apr-util:0.9.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:0.9.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.1.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.2.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:1.3.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:apr-util:*:*:*:*:*:*:*:* versions up to 1.3.9 (inclusive)

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
85946F5 Networks BIG-IP : Apache vulnerability (SOL15902)NessusF5 Networks Local Security Checks
medium
75785openSUSE Security Update : apache2 (openSUSE-SU-2011:0859-1)NessusSuSE Local Security Checks
medium
75424openSUSE Security Update : apache2 (openSUSE-SU-2011:0859-1)NessusSuSE Local Security Checks
medium
74066GLSA-201405-24 : Apache Portable Runtime, APR Utility Library: Denial of ServiceNessusGentoo Local Security Checks
medium
68155Oracle Linux 4 / 5 / 6 : apr-util (ELSA-2010-0950)NessusOracle Linux Local Security Checks
medium
800577Apache 2.2 < 2.2.17 Multiple VulnerabilitiesLog Correlation EngineWeb Servers
high
6793Apache 2.2 < 2.2.17 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
60915Scientific Linux Security Update : apr-util on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
58811HP System Management Homepage < 7.0 Multiple VulnerabilitiesNessusWeb Servers
critical
55566SuSE 10 Security Update : libapr (ZYPP Patch Number 7611)NessusSuSE Local Security Checks
medium
55564SuSE 11.1 Security Update : libapr (SAT Patch Number 4845)NessusSuSE Local Security Checks
medium
55563SuSE 11.1 Security Update : libapr (SAT Patch Number 4845)NessusSuSE Local Security Checks
medium
51942Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : httpd (SSA:2011-041-03)NessusSlackware Local Security Checks
medium
51940Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : apr-util (SSA:2011-041-01)NessusSlackware Local Security Checks
medium
51776CentOS 4 : apr-util (CESA-2010:0950)NessusCentOS Local Security Checks
medium
51072RHEL 4 / 5 / 6 : apr-util (RHSA-2010:0950)NessusRed Hat Local Security Checks
medium
50824Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : apr-util vulnerability (USN-1022-1)NessusUbuntu Local Security Checks
medium
50823Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : apache2 vulnerabilities (USN-1021-1)NessusUbuntu Local Security Checks
medium
50532Fedora 14 : apr-util-1.3.10-1.fc14 (2010-16178)NessusFedora Local Security Checks
medium
50393Fedora 13 : apr-util-1.3.10-1.fc13 (2010-15953)NessusFedora Local Security Checks
medium
50392Fedora 12 : apr-util-1.3.10-1.fc12 (2010-15916)NessusFedora Local Security Checks
medium
50070Apache 2.2.x < 2.2.17 Multiple VulnerabilitiesNessusWeb Servers
medium
50069Apache 2.0.x < 2.0.64 Multiple VulnerabilitiesNessusWeb Servers
high
49770FreeBSD : apr -- multiple vunerabilities (dd943fbb-d0fe-11df-95a8-00219b0fc4d8)NessusFreeBSD Local Security Checks
medium
49767Debian DSA-2117-1 : apr-util - denial of serviceNessusDebian Local Security Checks
medium
49739Mandriva Linux Security Advisory : apr-util (MDVSA-2010:192)NessusMandriva Local Security Checks
medium