CVE-2017-12613

Published: Oct 24, 2017Modified: May 13, 2026

7.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Exploitability: 1.8 / Impact: 5.2

Source: NVD

Description

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

Affected (33)

Products: Apache: Portable Runtime · Debian: Debian Linux · Redhat: Enterprise Linux Desktop, Enterprise Linux Eus, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Server Tus, Enterprise Linux Workstation, Jboss Core Services, Jboss Enterprise Web Server, Software Collections

1 product

1 product

9 products

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Jboss Core Services

Jboss Enterprise Web Server

Software Collections

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Portable Runtime	Before 1.7.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 9.0

Configuration C

30 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Eus	Version 6.7
Redhat Enterprise Linux Eus	Version 7.3
Redhat Enterprise Linux Eus	Version 7.4
Redhat Enterprise Linux Eus	Version 7.5
Redhat Enterprise Linux Eus	Version 7.6
Redhat Enterprise Linux Eus	Version 7.7
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Server Aus	Version 6.4
Redhat Enterprise Linux Server Aus	Version 6.5
Redhat Enterprise Linux Server Aus	Version 6.6
Redhat Enterprise Linux Server Aus	Version 7.2
Redhat Enterprise Linux Server Aus	Version 7.3
Redhat Enterprise Linux Server Aus	Version 7.4
Redhat Enterprise Linux Server Aus	Version 7.6
Redhat Enterprise Linux Server Aus	Version 7.7
Redhat Enterprise Linux Server Tus	Version 6.6
Redhat Enterprise Linux Server Tus	Version 7.2
Redhat Enterprise Linux Server Tus	Version 7.3
Redhat Enterprise Linux Server Tus	Version 7.4
Redhat Enterprise Linux Server Tus	Version 7.6
Redhat Enterprise Linux Server Tus	Version 7.7
Redhat Enterprise Linux Workstation	Version 6.0
Redhat Enterprise Linux Workstation	Version 7.0
Redhat Jboss Core Services	All versions
Redhat Jboss Core Services	Version 1.0
Redhat Jboss Enterprise Web Server	Version 3.0.0
Redhat Software Collections	Version 1.0

Related CWEs

CWE-125

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

References (42)

http://www.apache.org/dist/apr/Announcement1.x.html

Source: security@apache.org

Release NotesVendor Advisory

http://www.openwall.com/lists/oss-security/2021/08/23/1

Source: security@apache.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/101560

Source: security@apache.org

Broken Link

http://www.securitytracker.com/id/1042004

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:3270

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3475

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3476

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3477

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0316

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0465

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:0466

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1253

Source: security@apache.org

Third Party Advisory

https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E

Source: security@apache.org

Issue TrackingVendor Advisory

https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339%40%3Ccommits.apr.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9%40%3Ccommits.apr.apache.org%3E

Source: security@apache.org

https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html

Source: security@apache.org

Mailing ListThird Party Advisory

https://svn.apache.org/viewvc?view=revision&revision=1807976

Source: security@apache.org

Issue TrackingThird Party Advisory

http://www.apache.org/dist/apr/Announcement1.x.html