Ask the Community
Groups
CVE-2009-2412: Apache httpd: APR apr_palloc heap overflow - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="cve-id"><strong>CVE ID</strong></h3> <p>CVE-2009-2412</p> <h3 data-id="description"><strong>DESCRIPTION</strong></h3> <p></p> <p>A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.</p> <h3 data-id="detail-from-the-cve">Detail from the CVE</h3> <p>The affected asset is vulnerable to this Apache vulnerability ONLY if a non-Apache application can be passed unsanitized user-provided sizes to the apr_palloc() function. Review your Web server configuration for validation.<br><br>Severity: low<br><br>Unitrends has no exposure because Unitrends web programs do not allocate user-controlled size</p> <h3 data-id="resolution"><strong>RESOLUTION</strong></h3> <p>For CentOS5, apr-1.2.7-11.el5_3.1 and apr-util-1.2.7-7.el5_3.2 or later has the fix, and Unitrends appliances should already have apr-util-1.2.7-7.el5_3.2.<br><br>For CentOS6, the distribution already contains this fix.<br><br>Fixed in Apache httpd 2.2.13<br> </p> <h3 data-id="link-to-advisories"><strong>LINK TO ADVISORIES</strong></h3> <p></p> <ul><li><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2FCVE-2009-2412%250D%250Ahttp%3A%2F%2Fhttpd.apache.org%2Fsecurity%2Fvulnerabilities_22.html">https://access.redhat.com/security/cve/CVE-2009-2412 http://httpd.apache.org/security/vulnerabilities_22.html</a></li></ul> </article> </main>