httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Young <cyo...@tripwire.com>
Subject [users@httpd] Memory Safety Issues Handling SDBM
Date Mon, 23 Oct 2017 21:56:08 GMT
Apache HTTP Server security may be impacted by missing bounds checks in the SDBM implementation
from APR prior to version 1.6.3 (released October 22, 2017) [1]. SDBM can be used in various
parts of Apache HTTP Server including most notably for authentication and object caching.
 While it is unlikely that a remote attacker could ever present the server with crafted SDBM
pages, the possibility exists that an attacker may be able to leverage this behavior in a
shared hosting environment to extract secrets from other sites.

These issues were identified using the AFL fuzzer with ASAN and have been assigned CVE-2017-12618
(APR).  As previously noted, the custom pool allocator used in APR can mask memory safety
issues from ASAN so it is possible that the risk may extend beyond application crashes and
information disclosure [2].

[1] http://www.apache.org/dist/apr/Announcement1.x.html
[2] https://fuzzing-project.org/tutorial-tips.html

Best Regards,
Craig Young
Principal Security Researcher, Tripwire VERT
Mime
View raw message