The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

This update fixes :

  - CVE-2011-0419 and CVE-2011-1928: unconstrained recursion     when processing patterns

  - CVE-2010-1623: a remote DoS (memory leak) in APR's     reqtimeout_filter function

The remote host is affected by the vulnerability described in GLSA-201405-24 (Apache Portable Runtime, APR Utility Library: Denial of Service)

    Multiple vulnerabilities have been discovered in Apache Portable Runtime       and APR Utility Library. Please review the CVE identifiers referenced       below for details.
  Impact :

    A remote attacker could cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

From Red Hat Security Advisory 2011:0844 :

Updated apr packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.

The fix for CVE-2011-0419 (released via RHSA-2011:0507) introduced an infinite loop flaw in the apr_fnmatch() function when the APR_FNM_PATHNAME matching flag was used. A remote attacker could possibly use this flaw to cause a denial of service on an application using the apr_fnmatch() function. (CVE-2011-1928)

Note: This problem affected httpd configurations using the 'Location' directive with wildcard URLs. The denial of service could have been triggered during normal operation; it did not specifically require a malicious HTTP request.

This update also addresses additional problems introduced by the rewrite of the apr_fnmatch() function, which was necessary to address the CVE-2011-0419 flaw.

All apr users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr library, such as httpd, must be restarted for this update to take effect.

The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.

The fix for CVE-2011-0419 introduced an infinite loop flaw in the apr_fnmatch() function when the APR_FNM_PATHNAME matching flag was used. A remote attacker could possibly use this flaw to cause a denial of service on an application using the apr_fnmatch() function.
(CVE-2011-1928)

Note: This problem affected httpd configurations using the 'Location' directive with wildcard URLs. The denial of service could have been triggered during normal operation; it did not specifically require a malicious HTTP request.

This update also addresses additional problems introduced by the rewrite of the apr_fnmatch() function, which was necessary to address the CVE-2011-0419 flaw.

All apr users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr library, such as httpd, must be restarted for this update to take effect.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0.  As such, it is reportedly affected by the following vulnerabilities :

 - An error exists in the 'generate-id' function in the    bundled libxslt library that can allow disclosure of    heap memory addresses. (CVE-2011-0195)

 - An unspecified input validation error exists and can    allow cross-site request forgery attacks. (CVE-2011-3846)

 - Unspecified errors can allow attackers to carry out    denial of service attacks via unspecified vectors.
   (CVE-2012-0135, CVE-2012-1993)

 - The bundled version of PHP contains multiple    vulnerabilities. (CVE-2010-3436, CVE-2010-4409,    CVE-2010-4645, CVE-2011-1148, CVE-2011-1153,    CVE-2011-1464, CVE-2011-1467, CVE-2011-1468,    CVE-2011-1470, CVE-2011-1471, CVE-2011-1938,    CVE-2011-2202, CVE-2011-2483, CVE-2011-3182,    CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

 - The bundled version of Apache contains multiple    vulnerabilities. (CVE-2010-1452, CVE-2010-1623,    CVE-2010-2068,  CVE-2010-2791, CVE-2011-0419,    CVE-2011-1928, CVE-2011-3192, CVE-2011-3348,    CVE-2011-3368, CVE-2011-3639)

 - OpenSSL libraries are contained in several of the    bundled components and contain multiple vulnerabilities.
   (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945,    CVE-2011-3207,CVE-2011-3210)

 - Curl libraries are contained in several of the bundled    components and contain multiple vulnerabilities.
   (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)

This update fixes the following security issue :

  - 693778: unconstrained recursion when processing     patterns. (CVE-2011-0419 / CVE-2011-1928)

This update fixes the following security issues :

  - 650435: remote DoS in APR. (CVE-2010-1623)

  - 693778: unconstrained recursion when processing     patterns. (CVE-2011-0419 / CVE-2011-1928)

This update fixes the following security issues :

  - 650435: remote DoS in APR. (CVE-2010-1623)

  - 693778: unconstrained recursion when processing patterns     (CVE-2011-0419 / CVE-2011-1928)

Maksymilian Arciemowicz reported that a flaw in the fnmatch() implementation in the Apache Portable Runtime (APR) library could allow an attacker to cause a denial of service. This can be demonstrated in a remote denial of service attack against mod_autoindex in the Apache web server. (CVE-2011-0419)

Is was discovered that the fix for CVE-2011-0419 introduced a different flaw in the fnmatch() implementation that could also result in a denial of service. (CVE-2011-1928).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Move to 1.4.x branch.

Various bug fixes since 1.4.2.

Security: CVE-2011-0419 Reimplement apr_fnmatch() from scratch using a non-recursive algorithm; now has improved compliance with the fnmatch() spec.

Note: 1.4.3 was never officially released.

Fix CVE-2011-1928 introduced in 1.4.4.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Various bug fixes since 1.4.2.

Security: CVE-2011-0419 Reimplement apr_fnmatch() from scratch using a non-recursive algorithm; now has improved compliance with the fnmatch() spec.

Note: 1.4.3 was never officially released.

Release -2 should fix top_builddir problem from -1.

Fix CVE-2011-1928 introduced in 1.4.4.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated apr packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.

The fix for CVE-2011-0419 (released via RHSA-2011:0507) introduced an infinite loop flaw in the apr_fnmatch() function when the APR_FNM_PATHNAME matching flag was used. A remote attacker could possibly use this flaw to cause a denial of service on an application using the apr_fnmatch() function. (CVE-2011-1928)

Note: This problem affected httpd configurations using the 'Location' directive with wildcard URLs. The denial of service could have been triggered during normal operation; it did not specifically require a malicious HTTP request.

This update also addresses additional problems introduced by the rewrite of the apr_fnmatch() function, which was necessary to address the CVE-2011-0419 flaw.

All apr users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr library, such as httpd, must be restarted for this update to take effect.

New apr and apr-util packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix a security issue in apr and a crash bug in apr-util.

According to its banner, the version of Apache 2.2.x running on the remote host is 2.2.18. It is, therefore, affected by a denial of service vulnerability due to an error in the fnmatch implementation in 'apr_fnmatch.c' in the bundled Apache Portable Runtime (APR) library. 

Successful exploitation of this vulnerability requires that 'mod_autoindex' be enabled. 

Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself.

The Apache Portable Runtime Project reports :

A flaw was discovered in the apr_fnmatch() function in the Apache Portable Runtime (APR) library 1.4.4 (or any backported versions that contained the upstream fix for CVE-2011-0419). This could cause httpd workers to enter a hung state (100% CPU utilization).

apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations.

It was discovered that the fix for CVE-2011-0419 under certain conditions could cause a denial-of-service (DoS) attack in APR (CVE-2011-1928).

Packages for 2010.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149 products_id=490

The updated packages have been patched to correct this issue.

Update :

Packages for Mandriva Linux 2010.0 were missing with the MDVSA-2011:095 advisory.

ID	Name	Product	Family	Severity
75785	openSUSE Security Update : apache2 (openSUSE-SU-2011:0859-1)	Nessus	SuSE Local Security Checks	medium
75424	openSUSE Security Update : apache2 (openSUSE-SU-2011:0859-1)	Nessus	SuSE Local Security Checks	medium
74066	GLSA-201405-24 : Apache Portable Runtime, APR Utility Library: Denial of Service	Nessus	Gentoo Local Security Checks	medium
68284	Oracle Linux 4 / 5 / 6 : apr (ELSA-2011-0844)	Nessus	Oracle Linux Local Security Checks	medium
61053	Scientific Linux Security Update : apr on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
61052	Scientific Linux Security Update : apr on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
58811	HP System Management Homepage < 7.0 Multiple Vulnerabilities	Nessus	Web Servers	critical
57215	SuSE 10 Security Update : libapr1 (ZYPP Patch Number 7610)	Nessus	SuSE Local Security Checks	medium
55566	SuSE 10 Security Update : libapr (ZYPP Patch Number 7611)	Nessus	SuSE Local Security Checks	medium
55564	SuSE 11.1 Security Update : libapr (SAT Patch Number 4845)	Nessus	SuSE Local Security Checks	medium
55563	SuSE 11.1 Security Update : libapr (SAT Patch Number 4845)	Nessus	SuSE Local Security Checks	medium
55095	Ubuntu 6.06 LTS / 8.04 LTS / 10.04 LTS / 10.10 / 11.04 : apache2, apr vulnerabilities (USN-1134-1)	Nessus	Ubuntu Local Security Checks	medium
54958	Fedora 13 : apr-1.4.5-1.fc13 (2011-7340)	Nessus	Fedora Local Security Checks	medium
54957	Fedora 14 : apr-1.4.5-1.fc14 (2011-6918)	Nessus	Fedora Local Security Checks	medium
54944	Fedora 15 : apr-1.4.5-1.fc15 (2011-6750)	Nessus	Fedora Local Security Checks	medium
54938	CentOS 4 / 5 : apr (CESA-2011:0844)	Nessus	CentOS Local Security Checks	medium
54932	RHEL 4 / 5 / 6 : apr (RHSA-2011:0844)	Nessus	Red Hat Local Security Checks	medium
54648	Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : apr/apr-util (SSA:2011-145-01)	Nessus	Slackware Local Security Checks	medium
54646	Apache 2.2.x < 2.2.18 APR apr_fnmatch DoS	Nessus	Web Servers	medium
54623	FreeBSD : Apache APR -- DoS vulnerabilities (99a5590c-857e-11e0-96b7-00300582f9fc)	Nessus	FreeBSD Local Security Checks	medium
54610	Mandriva Linux Security Advisory : apr (MDVSA-2011:095-1)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2011-1928

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium