tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without     restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers     to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash     table. (CVE-2012-0840)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote host is affected by the vulnerability described in GLSA-201405-24 (Apache Portable Runtime, APR Utility Library: Denial of Service)

    Multiple vulnerabilities have been discovered in Apache Portable Runtime       and APR Utility Library. Please review the CVE identifiers referenced       below for details.
  Impact :

    A remote attacker could cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

CVE-2012-0840 apr: hash table collisions CPU usage DoS

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been found and corrected in ASF APR :

tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table (CVE-2012-0840).

APR has been upgraded to the latest version (1.4.6) which holds many improvments over the previous versions and is not vulnerable to this issue.

ID	Name	Product	Family	Severity
217593	Linux Distros Unpatched Vulnerability : CVE-2012-0840	Nessus	Misc.	high
74066	GLSA-201405-24 : Apache Portable Runtime, APR Utility Library: Denial of Service	Nessus	Gentoo Local Security Checks	medium
58188	Fedora 16 : apr-1.4.6-1.fc16 (2012-1709)	Nessus	Fedora Local Security Checks	medium
58187	Fedora 15 : apr-1.4.6-1.fc15 (2012-1656)	Nessus	Fedora Local Security Checks	medium
57955	Mandriva Linux Security Advisory : apr (MDVSA-2012:019)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2012-0840

high

Tenable Plugins

high

medium

medium

medium

medium